Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
[For brevity, this is intended as a message in support of Joe's position. I think my original got eaten in the earlier mail server event announced on ietf@, so apologies for any duplicates.] On Tue, Sep 02, 2008 at 03:46:48PM -0400, Joe Abley wrote: My point is that there are a large number of distributed denial of service attacks happening every day, on a scale large enough to involve multiple providers and cross-organisational teams for mitigation. For informational purposes, I'd like to point out that yesterday on the NANOG mailing list, it was asserted that DNS Amplification attacks are being observed by one security worker (Gadi Evron) on a seemingly daily basis, frustrated by the lack of adoption of BCP 38 (which is proposed as the root cause). [1] Let me say that it is entirely right to suggest that in this case, if you are engaged in a dialogue of logical deduction, then in the face of the claim that something does not exist, the responsibility of argument is to prove that thing does exist, on the basis that one cannot reasonably prove non-existence of any physical object (or event) with Aristotelian tenacity. Which is problematic because such a proof (with Aristotelian tenacity) in this case would require publishing of normally witheld and guarded data in provably unaltered forms. This may not even be possible. This would appear then to be an impasse if the IETF required such tenacity. Fortunately, the IETF works on a basis of consensus among practicioners, not on a basis of Aristotelian deductive proofs of draft contents and volunteers' opinions. I'm content to agree with the other WG participants that DNS Amplification attacks do persist in the modern day, and that it is useful to write and publish a document that seeks mitigation. I hope that the WG's consensus will be so measured by the chairs. [1] - http://www.merit.edu/mail.archives/nanog/msg11131.html -- Ash bugud-gul durbatuluk agh burzum-ishi krimpatul. Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/ -- David W. HankinsIf you don't do it right the first time, Software Engineeryou'll just have to do it again. Internet Systems Consortium, Inc. -- Jack T. Hankins pgpSNWpTlJTMr.pgp Description: PGP signature ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
Gentlefolks, I note that Gadi Evron was, until recently, employed by Afilias, the same company as Joe Abley. At present, acccording to another recent NANOG controversy, Mr. Evron. Mr Hankins is also not an independent source, being part of ISC, Joao Damas' (document author) employer. Also, I do not think that we need to require aristotelian proof. The basis of my objection isn't the lack of aristotelian proof. Rather, it seems reasonable to require _some_ evidence that this is a real problem, especially in light of the contrived and exaggerated nature of the claims; the fact that there are DNS attacks that are easier to conduct; the fact that the alternative attack doesn't risk detection; the fact that the alternative attack is harder to mitigate; as well as the previously discredited source(s) of the claims [See http://www.iadl.org/nanog/nanog-story.html and http://www.iadl.org/maps/maps-story.html] Given that the questioned sources form only a tiny part of even just the North American ISPs, it shouldn't be very hard to find credible sources---that is, if indeed this is a real problem that is widely experienced by internet service providers and that this problem is serious enough to justify the costs of closing open recursors. But so far, We've seen no direct evidence nor any indirect evidence. Anecdotes and personal assurances from a tiny group that has collaborated (properly and improperly) in the past is insufficient to justify the costs of implementing this change. I am also reminded of another point that hasn't been brought up recently: BCP38 provides a complete and general solution for this and other spoofing attacks. Given BCP38, there is really no need for this document. BCP38 should protect many services that could potentially be abused by spoofing, including the legitmate uses of open recursors. The efforts spent on this document (both in writing and in later implementation) would be better applied to promoting and implementing BCP38. I might suggest a poll of ISPs, and if 5000 or so ISPs worldwide agree that open recursors attacks are a current, serious problem that can't be solved by BCP38, then its a problem that should be acted on. However, given past experiences with blacklists (particularly the proponents association with disreputable blacklists), we should take care that the proponents do not unduly solicit or threaten ISPs to obtain agreement. Thanks, --Dean On Fri, 5 Sep 2008, David W. Hankins wrote: [For brevity, this is intended as a message in support of Joe's position. I think my original got eaten in the earlier mail server event announced on ietf@, so apologies for any duplicates.] On Tue, Sep 02, 2008 at 03:46:48PM -0400, Joe Abley wrote: My point is that there are a large number of distributed denial of service attacks happening every day, on a scale large enough to involve multiple providers and cross-organisational teams for mitigation. For informational purposes, I'd like to point out that yesterday on the NANOG mailing list, it was asserted that DNS Amplification attacks are being observed by one security worker (Gadi Evron) on a seemingly daily basis, frustrated by the lack of adoption of BCP 38 (which is proposed as the root cause). [1] Let me say that it is entirely right to suggest that in this case, if you are engaged in a dialogue of logical deduction, then in the face of the claim that something does not exist, the responsibility of argument is to prove that thing does exist, on the basis that one cannot reasonably prove non-existence of any physical object (or event) with Aristotelian tenacity. Which is problematic because such a proof (with Aristotelian tenacity) in this case would require publishing of normally witheld and guarded data in provably unaltered forms. This may not even be possible. This would appear then to be an impasse if the IETF required such tenacity. Fortunately, the IETF works on a basis of consensus among practicioners, not on a basis of Aristotelian deductive proofs of draft contents and volunteers' opinions. I'm content to agree with the other WG participants that DNS Amplification attacks do persist in the modern day, and that it is useful to write and publish a document that seeks mitigation. I hope that the WG's consensus will be so measured by the chairs. [1] - http://www.merit.edu/mail.archives/nanog/msg11131.html -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Wed, 3 Sep 2008, Danny McPherson wrote: You don't see any evidence of attacks because you haven't read about them on NANOG [or various network forums that you do monitor] - duly noted, and comically ironic. It is indeed comically ironic (telling, actually) that NANOG hasn't discussed the issue. But I fail to understand why YOU think that is comically ironic. It is not merely that *I* don't see any evidence. It is that NO ONE has presented ANY evidence of ANY FURTHER ATTACKS, despite being challenged to provide some evidence. Someday (after we approve this document I suppose) you promise to have *OG types report on this attack. This survey has nothing to do with NANOG, and it's not in any way supported or executed by NANOG. I'm not sure why you keep repeating this when I responded to your initial query as such: No, there's quite a wide distribution of responses, but mostly *OG types in various regions. I never said the survey was sponsored by NANOG. But as you admit above, it limited to the *OG types, which I note have misled us in the past. http://www.iadl.org/nanog/nanog-story.html I'm not very surprised that Vixie and Crocker support this document by personal attacks. They try to use emotion rather than reason to get what they want. They've done that before with the result that the Working Group and the public is deceived. On Wed, 3 Sep 2008, Paul Vixie wrote: how long is this community going to let a single person dominate its agenda? The deception in this assertion is just incredible. I haven't prevented anyone from discussing anything. This is an email list; Anyone can post at any time. Vixie/Crocker (calling me troll) are just engaging in namecalling, and have added nothing but noise and emotion. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
Dean, I'm not going to argue this point by point with you, I simply provided data points on what folks who do this as part of their day job have observed and reported. You can choose to accept this, or not. As for bots and CCs and what's done in practice today and what's not, well, I know a little about that, as well as many other folks here on the list. If you have pointers to any empirical or even anecdotal evidence I'd love to consider that in the future, but conjecture provides little value. No, there's quite a wide distribution of responses, but mostly *OG types in various regions. Ahh. Figured as much. Out of curiosity, who do you believe should respond to a security operations surveys - beyond those in security ops positions, that is? Mr. McPherson is associated with NANOG, attending 18 meeting as of NANOG 42; Only 46 people have attended more NANOG meetings than Mr. McPherson. Interesting tidbit, I had no idea. Useless, but interesting :-) Useless to you perhaps. Not so useless to everyone. But its interesting that you aren't concerned by the association with the other improper activities. I guess you know about those, so it comes as no surprise. I've been to twice as many IETF meetings, and here, just like there, I've learned over the years that there's cruft everywhere and the key is being able to apply appropriate filters based on one's personal experiences and opinions. -danny ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Sep 3, 2008, at 9:42 AM, Dean Anderson wrote: I choose to report on why this data is not credible and should not be accepted by the DNSOP WG. I believe the WG has heard your position: There has been no further discussion of these attacks since the two very small motivating attacks were discussed on NANOG some time ago. I don't see any evidence that there have been more than two such attacks. You don't see any evidence of attacks because you haven't read about them on NANOG [or various network forums that you do monitor] - duly noted, and comically ironic. The difference is that as a senior core member of NANOG, NANOG's disreputable activities reflect on you and discredit its surveys and reports. NANOG doesn't reflect the ISPs of North America, as shown by the 3000 or so members of ARIN versus the small number of core NANOG participants. This survey has nothing to do with NANOG, and it's not in any way supported or executed by NANOG. I'm not sure why you keep repeating this when I responded to your initial query as such: No, there's quite a wide distribution of responses, but mostly *OG types in various regions. I'm tempted to take your bait and take offense to your comments above, but instead, will get back doing something productive as my points have been made. Done wasting bandwidth on this discussion here, -danny ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Tue, 2 Sep 2008, Joe Abley wrote: Dean, On 1 Sep 2008, at 20:57, Dean Anderson wrote: mostly operations people (as opposed to credible engineers)? If av8.net starts selling t-shirts, I'll take one with that phrase. Perhaps a t-shirt should have this quote from Paul Vixie: describing the IETF as self-selected rabble and trolls http://www.ietf.org/mail-archive/web/ietf/current/msg25874.html Or later in the same message, Vixie says it's hard to commit acts of leadership inside a burning movie theatre. Which is just wrong. Its quite easy to commit acts of leadership during an emergency. (the emergency being spam) The problem was that Vixie was himself a spammer, false teaming with anti-spammers and misleading network operators. Of course, there will be no such t-shirt, you are just using the notion of t-shirt to misrepresent something I said. I don't mean to say that network operators aren't credible, as you seem to imply. I definitely appreciate the craft skills very much. But craft skills don't generally imply knowledge of theory and mathematics; actual engineering. I mean that Network operations staff have a history of being easily misled by emotional appeals such as the war won't be over until the last spammer's head is stuck onto a spear at the city limits.--Paul Vixie, Sept 1997. Although this really fired-up network operations staff, it was later discovered that Vixie was a spammer. Network operations staff however gave Vixie (MAPS/SORBS/SPAMHAUS) anti-spam information on Whitehat's competition, while Whitehat was able to avoid spam-traps; none of this would have been possible without the support of the misled network operations staff. This draft is a similar emotional appeal with insufficient basis in fact of number of attacks, or in theory. There is no harm in public resolvers. Not to the people running the resolvers, usually, no. There is usually no harm to anyone from open resolvers. No one has reported any further attacks since this draft was conceived. I note that there have been no substantive answers to any of the questions I raised, just platitudes and personal attacks. Has there been any subsequent attacks since the motivating attack was reported? Given that we now have some high-profile DNSSEC test zones (thanks to David Conrad), there is now no reason at all to use a recursor in a DDOS attack. One would merely make DNSSEC queries against a high-profile authority server. One can conduct attacks on well-known high-profile authority servers without the risk of exposure inherent in searching out reflectors. And I note that Paul Wouters previously asserted that 100:1 amplification is a non-issue. If so, then certainly reflector attacks are also a non-issue for the same reason. So, this draft is in search of a problem to solve. However, closing open recursors may promote the sales of DNS servers to people who didn't need them before, so I wonder about that. And can we expect to see people selling 'reflector blacklist' products to ISPs to block DNS to open recursors, merely because the recursors are open? Will we see 'reflector blacklist' people scanning for open recursors? -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Sep 2, 2008, at 9:47 AM, Joe Abley wrote: There is usually no harm to anyone from open resolvers. No one has reported any further attacks since this draft was conceived. That is not true. It's possible that the forums in which such attacks are discussed are not available to you, of course. I say that not as some kind of thinly-veiled attack, but merely as an observation that security ops forums tend not to be public. I'd note that this 2008 Infrastructure Security Survey collection is about done, and the largest reported attack over the past 12 months was just north of 40 Gbps (yes, I meant to type forty) and employed DNS-based reflective amplification vectors. Others reported these attacks well above 10 Gbps in the past 12 months as well.. Report to be publish in next month or two. -danny ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Tue, 2 Sep 2008, Joe Abley wrote: On 2 Sep 2008, at 11:04, Dean Anderson wrote: There is no harm in public resolvers. Not to the people running the resolvers, usually, no. There is usually no harm to anyone from open resolvers. No one has reported any further attacks since this draft was conceived. That is not true. It's possible that the forums in which such attacks are discussed are not available to you, of course. I say that not as some kind of thinly-veiled attack, but merely as an observation that security ops forums tend not to be public. Really? Your position is that there are attacks but all these attacks are somehow being kept secret? People talked about ping floods, syn floods, and an uncountable slew of other attacks. Incredible. If these attacks were indeed happening, someone, somewhere would be talking about specific attacks. I note that there have been no substantive answers to any of the questions I raised, just platitudes and personal attacks. Oh, I didn't notice any questions. In any case, I was only responding to what I saw as factual errors. But you don't have any factual counter-evidence to offer to refute the alleged factual errors. Incredible. And I was serious about the t-shirt, if the price is reasonable. XXL, thanks. Then you should know that this isn't a proper forum to be soliciting me about t-shirts. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On 2 Sep 2008, at 13:43, Dean Anderson wrote: Really? Your position is that there are attacks but all these attacks are somehow being kept secret? People talked about ping floods, syn floods, and an uncountable slew of other attacks. Incredible. My point is that there are a large number of distributed denial of service attacks happening every day, on a scale large enough to involve multiple providers and cross-organisational teams for mitigation. When new attack techniques emerge, sometimes they make the news. The fiftieth DNS reflection attack on any particular day, years after the technique was first described, is unlikely to be newsworthy. The fact that alarm bells are not sounding in the streets doesn't mean that people continue to work to mitigate such attacks, however, nor that such attacks no longer happen. The existence of closed, operational forums for the discussion and mitigation of denial of service attacks is no great secret to operators. If you're unaware, and you're an operator, feel free to drop me a private note. I would be very happy to let you know about the subscription procedures and attendant vetting by peers that would be required for you to participate (at least, in the forums I am aware of). I imagine discussions of your applicability would be entertaining. At a higher level, you seem to be seeking some measure of proof regarding the existence of something. My aim was not to provide proof of anything, since as far as I know this is not a court of law, a philosophy class nor a distillery. Apologies if that was not clear. If these attacks were indeed happening, someone, somewhere would be talking about specific attacks. And my point is that they are. Your point is that you don't believe me. I might make the point that I don't care who believes me. Regardless, I will continue not to lose sleep. And I was serious about the t-shirt, if the price is reasonable. XXL, thanks. Then you should know that this isn't a proper forum to be soliciting me about t-shirts. Shame. Perhaps someone else will do the right thing and start selling av8 t-shirts with such pithy catchphrases, given your documented lack of interest in exploiting this no-doubt lucrative opportunity. Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
2) Why would anyone capble of programming bother searching for open recursors (with often small connection speeds) when they can use 100+ root servers with large amplification factors and high bandwidth connections at key exchange points? Because there are much better amplification factors available than those you can produce using the root servers. The roots still only send unfragmented UDP responses. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
Dean Anderson wrote: A useful technique for scan detection is a non-production special server. Scanners show up in the logs; no one else does. Dnscache, BIND, and PowerDNS all have necessary the logging capabilities. http://en.wikipedia.org/wiki/Honeypot_(computing) - Kevin ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Tue, 2 Sep 2008, Joe Abley wrote: On 2 Sep 2008, at 13:43, Dean Anderson wrote: Really? Your position is that there are attacks but all these attacks are somehow being kept secret? People talked about ping floods, syn floods, and an uncountable slew of other attacks. Incredible. My point is that there are a large number of distributed denial of service attacks happening every day, on a scale large enough to involve multiple providers and cross-organisational teams for mitigation. When new attack techniques emerge, sometimes they make the news. The fiftieth DNS reflection attack on any particular day, years after the technique was first described, is unlikely to be newsworthy. The fact that alarm bells are not sounding in the streets doesn't mean that people continue to work to mitigate such attacks, however, nor that such attacks no longer happen. Significant problems are always newsworthy, or at least discussion-worthy on various network forums that I do monitor. There has been no further discussion of these attacks since the two very small motivating attacks were discussed on NANOG some time ago. I don't see any evidence that there have been more than two such attacks. The existence of closed, operational forums for the discussion and mitigation of denial of service attacks is no great secret to operators. If you're unaware, and you're an operator, feel free to drop me a private note. I would be very happy to let you know about the subscription procedures and attendant vetting by peers that would be required for you to participate (at least, in the forums I am aware of). I imagine discussions of your applicability would be entertaining. I never said the existance of forums were secret. Indeed, the genuine forums are usually for coordination between major carriers' operations groups, and so are only appropriate to the operations employees of those few major carriers. The rest of the (somewhat dubious) forums are groups more or less like blackhat; groups basically training bad guys and/or sharing techniques amoung bad guys, or else amoung dilettantes. Because I am not currently employed in the operations department of a large major carrier myself, I would be unable to actually mitigate any in-progess attacks. Moreover, I've always worked for major carriers in engineering, not operations. So I can't imagine why I would ever want to be in genuine forum, nor would I want to be in any dubious forum. I note that you aren't employeed by any of the major carriers, either. In anycase, I doubt that I would need your assistance with any application. However, not participating in the actual mitigation efforts doesn't mean that attacks aren't discussed post-mortem. These discussions are usually more widespread and are more public. But you have no evidence of such discussion, nor evidence of any actual attacks whatsoever after the motivating attacks. At a higher level, you seem to be seeking some measure of proof regarding the existence of something. My aim was not to provide proof of anything, since as far as I know this is not a court of law, a philosophy class nor a distillery. Apologies if that was not clear. I guessed that your aim was not to provide proof of your assertions. However, for your claims to be credible, there needs to be some evidence that this is a problem that needs to be solved, that the costs are justified. You have no evidence of there being a problem and your claims are not credible because of the lack of evidence. The costs imposed on legitimate open recursors are unjustified. If these attacks were indeed happening, someone, somewhere would be talking about specific attacks. And my point is that they are. Your point is that you don't believe me. I might make the point that I don't care who believes me. Regardless, I will continue not to lose sleep. The people who don't believe you won't lose sleep either when we collectively decide you don't have a genuine problem to be solved, or don't have any evidence of a genuine problem. And I was serious about the t-shirt, if the price is reasonable. XXL, thanks. Then you should know that this isn't a proper forum to be soliciting me about t-shirts. Shame. Perhaps someone else will do the right thing and start selling av8 t-shirts with such pithy catchphrases, given your documented lack of interest in exploiting this no-doubt lucrative opportunity. Then I guess they'll learn about the law on trademark infringement. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Tue, 2 Sep 2008, Danny McPherson wrote: On Sep 2, 2008, at 12:44 PM, Dean Anderson wrote: I find this hard to believe from three standpoints: 1) the expected number of open DNS recursors and their collective bandwidth doesn't seem to be large enough to support a 40Gbps attack. Really? With trivial amplification vectors 20 low-speed broadband connected bots can generate nearly 1.5 Gbps of attack traffic. It isn't the case that many open recursors are on low-speed broadband connections; That is a residential service, while recursors are usually run by businesses or ISPs, which changes a number of things. I also suppose you expect that 20 * 384kbps * 100x = 1.5Gbps. (384kbs upload speed) (100x amplification factor) The error in your estimate is that you assume if there are bots to send demand, that there are recursors to handle the load. This just isn't the case. The estimate is an ideal maximum, assuming a lot of things are true that aren't true. For example, one never has ideal bandwidth available to any host. And one must still have enough recursors to can handle the offered load. But there aren't enough recursors to provide the load. There are only about 20k or so recursors, and most don't sit on high bandwidth connections. Many don't support EDNSO, so can't get more than about 10x amplification, anyway. Most businesses and ISPs would probably soon notice their participation in a DDOS attack due to their own bandwidth consumption and block the (spoofed) source address without damage as a result of the block, or an upstream carrier would block the spoofed source, also without collateral damage. Furthermore, its relatively easy to change the IP address of a recursor. Abusers need to keep scanning. So, that'd put you around 500 or so bots, and any number of open resolvers, to generate such an attack, which is low-hanging fruit these days. Really? Recursors are low hanging fruit'? By what measure? Of course, the reported amplification vector was higher than this, the number of bots lowers. Higher than what? You can't get more than about 100x from DNS under ideal conditions. 2) Why would anyone capble of programming bother searching for open recursors (with often small connection speeds) when they can use 100+ root servers with large amplification factors and high bandwidth connections at key exchange points? We'll leave that an exercise for the reader... Let's not, since its important to consider the alternatives available to the attacker and the costs of this proposal. Significantly, the abuser has an option that doesn't expose them to discovery by their scanning efforts, and the other attack isn't very easy to mitigate. It doesn't require the effort of scanning, or of distributing a payload of recursors to the bots. Quite a lot easier to do. This seems to make the other attack much more attractive. Something about low-hanging fruit??? 3) Why aren't these attacks being prosecuted? Someone searching for open recursors is bound to be noticed. The only people I know of searching for open recursors is UltraDNS and a scientific group at Cornell. Searching for open recursors and launching an attack are two entirely different things. Yes. One must precede the other. Scanning comes first. And abusers need to keep scanning, which puts them at a disadvantage for this attack. And launching spoofed-based attacks makes finding the attacking sources more difficult. And given that they're most always botted, you then have to find a CC, and then an attacker stepping stone, etc.., etc., No need for rehashes of this here, methinks. Finding the CC for a botnet that must keep scanning to conduct abuse should be easier than for a botnet that doesn't need to scan. You find the person scanning and you found the person involved in the CC. Also, one doesn't need to find the attacking source with recursor abuse. Its a very mitigatable attack. Just like open proxy abuse, one can usually block the recursor without collateral damage. Significantly, one can't easily mitigate the other attack (ala DNSSEC responses) of roots, TLDs, major domain's authority servers. Blocking authority servers generally does significant damage; roots, TLDs, major domains in particular can't be blocked. I'll wait to see the report. It will also be interesting to find out who was surveyed. If it turns out to be primarilly NANOG (the source of the original reports), I'll be more dubious. No, there's quite a wide distribution of responses, but mostly *OG types in various regions. Ahh. Figured as much. Mr. McPherson is associated with NANOG, attending 18 meeting as of NANOG 42; Only 46 people have attended more NANOG meetings than Mr. McPherson. Interesting tidbit, I had no idea. Useless, but interesting :-) Useless to you perhaps. Not so useless to everyone. But its interesting that you aren't concerned by the association with the