On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:
1) If everyone on the planet were to somehow magically and immediately be
converted over to DNSSEC tomorrow, then would DNS amplification attacks
become a thing of the past, starting tomorrow? Does DNSSEC solve the
DNS amplification attack
On 06/13/2013 05:33 AM, Phil Mayers wrote:
On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:
1) If everyone on the planet were to somehow magically and
immediately be
converted over to DNSSEC tomorrow, then would DNS amplification attacks
become a thing of the past, starting tomorrow?
From: David Miller dmil...@tiggee.com
Basically, the whole idea is just simply to allow a victim to switch to
safe TCP only mode with all of the intermediaries that are
participating
The problem with that idea is that it needs software updates on both
the reflecting DNS server and
- Original Message -
Any comments and best practice solution info very welcome.
Folks with significant requirements with regard to high availability
are likely to put a hardware loadbalancer running a VIP which
receives DNS requests and balances it onto a pool of reals (aka the
In message 51b991f7.9070...@imperial.ac.uk,
Phil Mayers p.may...@imperial.ac.uk wrote:
On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:
2) Has anyone ever proposed adding to the DNS protocol something vaguely
reminicent of the old ICMP Source Quench? If so, what became of that
proposal?
On 06/13/2013 02:01 PM, Ronald F. Guilmette wrote:
The entire problem is fundamentally a result of the introduction of EDNS0.
Wwouldn't you agree?
No. You can still get pretty good amplification with 512 byte responses.
There are 2 causes of this problem, lack of BCP 38, and improperly
In message 51b9fb6a.1090...@tiggee.com,
David Miller dmil...@tiggee.com wrote:
This could lead to wrong headed statements like, Yes, we sent X GB of
traffic at your network.
Yes.
Last night I reconsidered at some length the scheme I put forward yesterday.
(Please note that I am very
The entire problem is fundamentally a result of the introduction of EDNS0.
Wwouldn't you agree?
No, that just makes it a little easier. You pound the patoot out of
someone with 512 byte packets just as much as you can with 4K packets,
just by making your attacking botnet bigger.
The real
Just a thought, below:
On 14/06/13 2:41, Ronald F. Guilmette wrote:
In message 51b9fb6a.1090...@tiggee.com,
David Miller dmil...@tiggee.com wrote:
This could lead to wrong headed statements like, Yes, we sent X GB of
traffic at your network.
Yes.
Last night I reconsidered at some length
In message 201306131753.r5dhrwon093...@calcite.rhyolite.com,
Vernon Schryver v...@rhyolite.com wrote:
I think that the use of RRL on some roots shows that keeping state
is not a problem if the state keeping is not utterly stupid.
(I'm not sure what, if anything, I should be reading into that
From: John Levine jo...@iecc.com
The real solution is BCP 38, to keep spoofed packets out of the
network in the first place.
Indeed. As many have mentioned, DNS reflection attacks are merely
the current fad, driven partly by 10X or higher amplification
(50 byte queries, 500 byte responses)
In message 51ba355b.10...@dougbarton.us,
Doug Barton do...@dougbarton.us wrote:
No. You can still get pretty good amplification with 512 byte responses.
That is an interesting contention. Is there any evidence of, or even any
reasonably reliable report of any DDoS actually being perpetrated
Well the process has started. BCP 38. If you want hurry it along
complain to your local politician that they need to consider drafting
legislation that requires ISP's to implement BCP 38 in their networks.
Require BCP 38 implementation by all parties as part of trade
negotiation.
Doing
In message 20130614004155.72013.qm...@joyce.lan,
John Levine jo...@iecc.com wrote:
The real solution is BCP 38...
I agree completely John. I cannot do otherwise. But I have to ask the
obvious elephant-in-the-room question... How is that comming along so far?
Maybe we could find worse ways
The real solution is BCP 38...
I agree completely John. I cannot do otherwise. But I have to ask the
obvious elephant-in-the-room question... How is that comming along so far?
Based on discussions I've had with people who work at large networks
and in policy positions in various governments
In message 14768.1371175...@server1.tristatelogic.com, Ronald F. Guilmette
writes:
In message 20130614004155.72013.qm...@joyce.lan,
John Levine jo...@iecc.com wrote:
The real solution is BCP 38...
I agree completely John. I cannot do otherwise. But I have to ask the
obvious
In message 20130614020930.c1c1c35e2...@drugs.dv.isc.org,
Mark Andrews ma...@isc.org wrote:
Well the process has started. BCP 38. If you want hurry it along
complain to your local politician that they need to consider drafting
legislation that requires ISP's to implement BCP 38 in their
In message 20130614022305.72272.qm...@joyce.lan,
John Levine jo...@iecc.com wrote:
The real solution is BCP 38...
I agree completely John. I cannot do otherwise. But I have to ask the
obvious elephant-in-the-room question... How is that comming along so far?
Based on discussions I've had
In message 20130614023140.7735d35e2...@drugs.dv.isc.org,
Mark Andrews ma...@isc.org wrote:
* Router manufactures have code to support BCP 38 though it defaults to off.
Well then, THAT is going to be a great help in solving the problem, isn't it?
* Large numbers of ISPs claim they implement
From: Ronald F. Guilmette r...@tristatelogic.com
} That is an interesting contention. Is there any evidence of, or even any
} reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE
} using strictly 512 byte packets?
}
} If that's actually a real problem, then I am forced
So, may I infer that rather than being put off until the end of the
century, which seemed to be the previous implementation timeline,
pervasive implementation of BCP 38 may now be expected at around the
time that 32-bit UNIX clocks are anticipated to wrap-around to negative?
Perhaps, but I think
In message 20130614032434.72450.qm...@joyce.lan,
John Levine jo...@iecc.com wrote:
So, may I infer that rather than being put off until the end of the
century, which seemed to be the previous implementation timeline,
pervasive implementation of BCP 38 may now be expected at around the
time that
In message 15120.1371179...@server1.tristatelogic.com, Ronald F. Guilmette
writes:
In message 20130614023140.7735d35e2...@drugs.dv.isc.org,
Mark Andrews ma...@isc.org wrote:
* Router manufactures have code to support BCP 38 though it defaults to off.
Well then, THAT is going to be a
Ronald,
It's obvious you're frustrated (understandable), and enthusiastic
(commendable), but you might want to consider dialing down your
rhetoric a bit. You've had responses from people here who have been
working on this problem for years, and have a deep understanding of it.*
Trying to
Hello,
I posted this to httpd.apache.org but have not had any response, so I think it
may be more related to BIND than DNS. Apologies for the cross-post.
I have setup two webservers on my network, one connected directly to the ISP
with an ethernet card installed to bring it to the router
25 matches
Mail list logo