Re: [dns-operations] Defending against DNS reflection amplification attacks
On Wed, Feb 20, 2013 at 08:48:19AM +0100, Jan-Piet Mens jpmens@gmail.com wrote a message of 12 lines which said: FYI, a paper (Feb 2013) titled Defending against DNS reflection amplification attacks at [1]. Very good paper, highly recommended. I was surprised they did not test NSD+RRL (or other solutions). Lack of time? ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
On Feb 22, 2013, at 2:58 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: they keep pretending that the DNS attack in Brazil was cache poisoning, while it has been widely documented for a long time http://www.securelist.com/en/blog/208193852/The_tale_of_one_thousand_and_one_DSL_modems. I keep running into the Brazil had an attack that could've been prevented by DNSSEC too. Gets boring after a while. Has there been any documented attack that would have been prevented by DNSSEC that one can point to? Thanks, -drc ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
Warren, On Feb 22, 2013, at 7:42 AM, Warren Kumari war...@kumari.net wrote: http://dnssec-deployment.org/pipermail/dnssec-deployment/2012-July/006003.html Thanks! Missed that message somehow. BIND 4.8.anything in 2010? I weep for humanity. Regards, -drc ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
David Conrad d...@virtualized.org wrote: Has there been any documented attack that would have been prevented by DNSSEC that one can point to? DigiNotar's bogus Google certificate would not have worked with DANE. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
* David Conrad [2013-02-22 16:18]: Has there been any documented attack that would have been prevented by DNSSEC that one can point to? This paper describes a censorship attack which could be mitigated by DNSSEC: http://conferences.sigcomm.org/sigcomm/2012/paper/ccr-paper266.pdf Regards, Matt -- Universität Duisburg-Essen Verteilte Systeme Bismarckstr. 90 / BC 316 47057 Duisburg smime.p7s Description: S/MIME Kryptografische Unterschrift ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Defending against DNS reflection amplification attacks
On Feb 22, 2013, at 4:04 AM, Paul Vixie p...@redbarn.org wrote: at which point it's easier to fix source address validation and make THAT universal. which we already know can't be done. Don't confuse won't with can't. It absolutely can be done. It won't be done because the carriers see profit in laziness, and see no profit in stopping criminals. In fact, I would argue that it could be done within a month net-wide if the carriers were motivated to do it. Sadly, it will probably take a large scale event that makes large carriers implement it completely in defense of their own networks to force the small carriers to get around to it. ...not dissing small carriers. I know many who implement it completely. It's the large carriers who tend to whine the most, but they are also the ones with a board of directors who could demand it -- thus, they are the place where the elbow could be placed. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] universal deployment of BCP38 and won't/can't semantics
On 22 Feb 2013, at 17:55, Jo Rhett jrh...@netconsonance.com wrote: Don't confuse won't with can't. It absolutely can be done. With sufficient thrust, even pigs can fly. There's no point arguing the semantics of don't and can't. As Paul mentioned earlier, let's remain realistic. Universal deployment of BCP38 simply isn't going to happen, no matter how much you or I *really want* that. [And I do.] Get over it. Good luck getting an ISP in downtown Mogadishu (say) to sign up to BCP38 and sticking to it. The financial and legal incentives for adopting BCP38 aren't there and almost certainly never will be. This doesn't of course mean we should stop efforts to find those incentives. Or give up on encouraging wider BCP38 adoption. Everyone just has to be realistic about what can be achieved. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Defending against DNS reflection amplification attacks
On 2013-02-22, at 13:55, Jo Rhett jrh...@netconsonance.com wrote: On Feb 22, 2013, at 4:04 AM, Paul Vixie p...@redbarn.org wrote: at which point it's easier to fix source address validation and make THAT universal. which we already know can't be done. Don't confuse won't with can't. It absolutely can be done. It won't be done because the carriers see profit in laziness, and see no profit in stopping criminals. Before everybody starts waving red flags and marching in the streets: - the carriers of which you speak are big companies; - big companies with staff who care about BCP38 have likely already deployed it; - big companies with non-trivial networks who have yet to deploy it need a business reason to do so, since the implementation and support costs are likely enough to be significant that there's probably no room under the radar to do it there; - companies have a responsibility to their shareholders to act according to a profit motive; - there is no profit motive in increase my costs so that I can decrease the costs of my competitors. If you can describe BCP38 deployment in a non-trivial network such that deployment is to the benefit of shareholders and non-deployment is not, I'm all ears. Absent regulation and punitive fines for non-compliance, I don't see it. If there's a logical or practical fallacy in here, someone please point it out. (As if I have to type that.) Joe ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
* Tony Finch wrote: DigiNotar's bogus Google certificate would not have worked with DANE. But the errornous transfer of ebay.de would create a deasaster with DANE. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Defending against DNS reflection amplification attacks
From: Joe Abley jab...@hopcount.ca If you can describe BCP38 deployment in a non-trivial network such that deployment is to the benefit of shareholders and non-deployment is not, I'm all ears. Absent regulation and punitive fines for non-compliance, I don't see it. Civil lawsuits by victims of DNS reflection and other attacks that depend on failures to deploy BCP38 might help convince boards of directors. It might help to take up a collection to help pay the legal fees a victim sueing one of those non-trivial networks. I've the vague impression that kind of fund raising is illegal. I've learned to avoid using the word fine in a different but related context. I have long claimed that ESPs (bulk mailer for hire) could practically stop the large amounts of unsolicited bulk email that they send by fining their customers with dirty target lists. A $100 fine for each spam complaint verified by the ESP (maybe only after the 5th complaint and maybe capped at $5,000) would practically stop the ESP spam sent toward my personal mailbox and to my spam traps feeding DCC. A representative of a major ESP insisted in public that my claim is nonsense, because it is illegal (sic) for an ESP to fine its customers. Because ESPs are private enterprises, that might be literally true. It's also a lie because ESPs could say cleanup fee or spam complaint processing fee instead of fine without reducing the disincentive for purchased, harvested, re-purposed, or other dirty mailboxes in target lists. Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
From: Lutz Donnerhacke l...@iks-jena.de But the errornous transfer of ebay.de would create a deasaster with DANE. In what way would DANE make the theft of a domain worse? Without DANE, the new possessor of a domain need only get SMTP working, create a new cert, apply for signature for a new cert, answer the email from the CA verifying ownership of the domain, and start using that new cert on new HTTP servers with improved web pages. With DANE, only a few things differ. One difference is that the new cert can be used as soon as DNS TTLs allow without waiting to answer ownership-verifying email from the CA. The second difference is that before and after the transfer, browser users can be more confident that the web pages they see are unchanged between HTTP server and HTTP client. In no case can you be sure that ebay.de is what you assume it is without some sort of out-of-band exchange of keys and secrets between you and ebay.de. Paying a CA $500 cannot buy more than $500 worth of identity checking and authentication, and that cannot penetrate more than $500 worth of smoke, mirrors, forged business licenses, etc. $500 is plenty for a hobby domain but ridiculous for an eBay. (Never mind the free CAs.) Commercial PKI verifications of the identities of strangers have always been frauds and snake oil sold to punters. That commercial PKI fees have always been too small to allow honest identity checks even for organizations more famous than Ebay was proven more than 10 years ago. https://www.cert.org/advisories/CA-2001-04.html http://technet.microsoft.com/en-us/security/advisory/2524375 Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] universal deployment of BCP38 and won't/can't semantics
On Feb 22, 2013, at 10:19 AM, Jim Reid j...@rfc1035.com wrote: There's no point arguing the semantics of don't and can't. As Paul mentioned earlier, let's remain realistic. Universal deployment of BCP38 simply isn't going to happen, no matter how much you or I *really want* that. [And I do.] Get over it. Good luck getting an ISP in downtown Mogadishu (say) to sign up to BCP38 and sticking to it. If their ability to pass traffic requires BCP38 and detected failures will lead to de-peering, it will happen. I've enforced BCP38 within both colocation facilities and large-scale peering. It can happen, and the fight has usually been much less than expected. My employers have been tentative about whether they'd risk a legal battle over it, but it has never come to that. And we lost zero, flat zero, opportunities over this unless you count some large spam operators that we turned away for multiple reasons. Stop saying it won't happen, and push back just a little every day. If enough of us do this, it will come to be. I am seriously looking for a great opportunity to sue a very large carrier for a failure to implement BCP38, since it very clearly meets the guidelines for reasonable and expected that the courts love to use. One very large carrier + one very large settlement, and the other carriers will notice. It's not impossible. It is hard, but many hard things are worth doing. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Defending against DNS reflection amplification attacks
On Feb 22, 2013, at 10:22 AM, Joe Abley jab...@hopcount.ca wrote: - big companies with staff who care about BCP38 have likely already deployed it; No. I've had this conversation many times and employees of big companies feel that it's impossible, and don't even raise the issue with their management. In two different occasions I arranged a meeting with their management and made the case for it, at which point the managers told the unbelieving employee to make it happen. BCP has some really good arguments for any public company, basically this. - big companies with non-trivial networks who have yet to deploy it need a business reason to do so, since the implementation and support costs are likely enough to be significant that there's probably no room under the radar to do it there; Every implementation I have done at the edge was nearly trivial in the amount of effort involved. I've been paid as a consultation to do it, and in several situations I was able to enable BCP for 1000+ customers for less than one day's worth of billable hours. (filtering at the core is an entirely different topic and is absolutely much harder) Not all situations are that easy, but it's often much easier than anyone believes. - companies have a responsibility to their shareholders to act according to a profit motive; - there is no profit motive in increase my costs so that I can decrease the costs of my competitors. There is absolutely a profit motive in preventing very costly lawsuits. I was personally involved in the complete death of an small european ISP which was used repeatedly for multi-gigabit random-source attacks. Their customer base and gear was sold off for 8% of annual operating revenue at the close of the criminal case. Stockholders very much care about this. If you can describe BCP38 deployment in a non-trivial network such that deployment is to the benefit of shareholders and non-deployment is not, I'm all ears. Absent regulation and punitive fines for non-compliance, I don't see it. I am seriously looking for a great opportunity to sue a very large carrier for a failure to implement BCP38, since it very clearly meets the guidelines for reasonable and expected that the courts love to use. One very large carrier + one very large settlement, and the other carriers will notice. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Defending against DNS reflection amplification attacks
Civil lawsuits by victims of DNS reflection and other attacks that depend on failures to deploy BCP38 might help convince boards of directors. as will black helicopters. can we stick to reality as we actually experience it? it is the reality on which the management, of which joe spoke so well, operates (well ...) randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
On Fri, Feb 22, 2013 at 07:42:17PM +, Vernon Schryver wrote: From: Lutz Donnerhacke l...@iks-jena.de But the errornous transfer of ebay.de would create a deasaster with DANE. In what way would DANE make the theft of a domain worse? On top of all the excellent points Vernon makes about how DANE is no worse, DANE gives you a couple mechanisms to make detection slightly easier. For the erroneous registrar or registrant transfer of the domain name is reflected in the WHOIS (or, let's hope, the eventual output of WEIRDS), so it's possible to see that the sponsorship of the name has changed. If it's merely all the name servers that have changed, that too might be useful evidence that something is up. None of this is perfect, but it is surely more evidence that can be taken into account. And there's the obvious benefit that with DANE, you're not stuck depending on every self-asserting trust vehicle that manages to convince the browser vendors to put in an anchor. I note that none of these mechanisms are built today, of course, but there's no reason reputation systems couldn't develop based on DANE along these lines, particularly if we get something like WEIRDS that would allow profiling of some classes of behaviour without disclosing all the PII that WHOIS does today. A -- Andrew Sullivan a...@anvilwalrusden.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] universal deployment of BCP38 and won't/can't semantics
On Fri, Feb 22, 2013 at 10:19 AM, Jim Reid j...@rfc1035.com wrote: The financial and legal incentives for adopting BCP38 aren't there and almost certainly never will be. This doesn't of course mean we should stop efforts to find those incentives. Or give up on encouraging wider BCP38 adoption. Everyone just has to be realistic about what can be achieved. Are there ways that neutral third parties (Cymru and Caida come to mind) could maintain lists of networks that don't enforce BCP38? -- Colm ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] universal deployment of BCP38 and won't/can't semantics
Colm MacCárthaigh (colm) writes: Are there ways that neutral third parties (Cymru and Caida come to mind) could maintain lists of networks that don't enforce BCP38? Not likely - there is an existing project to collect these kind of stats: http://spoofer.cmand.org/ http://spoofer.cmand.org/summary.php But only aggregate stats are published, no details. http://spoofer.cmand.org/faq.php Does this effort help scammers find an ISP that allows spoofing? No. We keep data on individual networks private and only publish aggregate statistics. [...] ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
Are there CA vendors who give out EV certificates for $fee + answer the e-mail? I know you can get basic SSL certs simply by answering the e-mail from the CA. Not that look for the green bar is going to be a whole lot more successful than Don't say yes to security exceptions you don't understand, but I'm curious. :) Doug On 02/22/2013 11:42 AM, Vernon Schryver wrote: From: Lutz Donnerhacke l...@iks-jena.de But the errornous transfer of ebay.de would create a deasaster with DANE. In what way would DANE make the theft of a domain worse? Without DANE, the new possessor of a domain need only get SMTP working, create a new cert, apply for signature for a new cert, answer the email from the CA verifying ownership of the domain, and start using that new cert on new HTTP servers with improved web pages. With DANE, only a few things differ. One difference is that the new cert can be used as soon as DNS TTLs allow without waiting to answer ownership-verifying email from the CA. The second difference is that before and after the transfer, browser users can be more confident that the web pages they see are unchanged between HTTP server and HTTP client. In no case can you be sure that ebay.de is what you assume it is without some sort of out-of-band exchange of keys and secrets between you and ebay.de. Paying a CA $500 cannot buy more than $500 worth of identity checking and authentication, and that cannot penetrate more than $500 worth of smoke, mirrors, forged business licenses, etc. $500 is plenty for a hobby domain but ridiculous for an eBay. (Never mind the free CAs.) Commercial PKI verifications of the identities of strangers have always been frauds and snake oil sold to punters. That commercial PKI fees have always been too small to allow honest identity checks even for organizations more famous than Ebay was proven more than 10 years ago. https://www.cert.org/advisories/CA-2001-04.html http://technet.microsoft.com/en-us/security/advisory/2524375 Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Defending against DNS reflection amplification attacks
On Feb 22, 2013, at 12:04 PM, Randy Bush ra...@psg.com wrote: Civil lawsuits by victims of DNS reflection and other attacks that depend on failures to deploy BCP38 might help convince boards of directors. as will black helicopters. can we stick to reality as we actually experience it? Having been a witness in two of these lawsuits, I don't see them as unrealistic. Both lawsuits were remarkably effective. This is one of the few technical topics which can be explained to normal jurors very easily. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Defending against DNS reflection amplification attacks
Civil lawsuits by victims of DNS reflection and other attacks that depend on failures to deploy BCP38 might help convince boards of directors. Having been a witness in two of these lawsuits, cites, please randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Defending against DNS reflection amplification attacks
On Feb 22, 2013, at 2:09 PM, Randy Bush ra...@psg.com wrote: Civil lawsuits by victims of DNS reflection and other attacks that depend on failures to deploy BCP38 might help convince boards of directors. Having been a witness in two of these lawsuits, cites, please That's a great request that unfortunately I have no clue if I can respond to. Both were early-mid 2000s and I was forbidden by the court from talking about it at the time. I need to track down the legal team of the companies and find out if I can discuss the topic now that it's settled. (both were settled as soon as the lawyer's realized that the juryAnd unfortunately both companies that brought me in as a witness have been acquired, one twice since then so it's going to be fun to do. I have already started that process however once this conversation began because I knew that this would be asked. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Another whitepaper on DDOS
At 09:26 22-02-2013, Matthäus Wander wrote: This paper describes a censorship attack which could be mitigated by DNSSEC: http://conferences.sigcomm.org/sigcomm/2012/paper/ccr-paper266.pdf See https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005343.html Regards, -sm ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] universal deployment of BCP38 and won't/can't semantics
Below: On Fri, Feb 22, 2013 at 11:45 AM, Jo Rhett jrh...@netconsonance.com wrote: On Feb 22, 2013, at 10:19 AM, Jim Reid j...@rfc1035.com wrote: There's no point arguing the semantics of don't and can't. As Paul mentioned earlier, let's remain realistic. Universal deployment of BCP38 simply isn't going to happen, no matter how much you or I *really want* that. [And I do.] Get over it. Good luck getting an ISP in downtown Mogadishu (say) to sign up to BCP38 and sticking to it. If their ability to pass traffic requires BCP38 and detected failures will lead to de-peering, it will happen. I've enforced BCP38 within both colocation facilities and large-scale peering. It can happen, and the fight has usually been much less than expected. My employers have been tentative about whether they'd risk a legal battle over it, but it has never come to that. And we lost zero, flat zero, opportunities over this unless you count some large spam operators that we turned away for multiple reasons. Stop saying it won't happen, and push back just a little every day. If enough of us do this, it will come to be. I am seriously looking for a great opportunity to sue a very large carrier for a failure to implement BCP38, since it very clearly meets the guidelines for reasonable and expected that the courts love to use. One very large carrier + one very large settlement, and the other carriers will notice. It's not impossible. It is hard, but many hard things are worth doing. As a co-author of BCP38, I am sick and tired of being sick and tired -- it is a good idea and we still need to push on this. And with regards to DNS amplification attacks I have a new way to do things I would prefer not to do -- spend more time flying around the world explaining to people how to stop being bad stewards in the basic hygiene of the Internet. If anyone can find some fault in that, then you are not part of the solution. Period. - ferg -- Fergie, a.k.a. Paul Ferguson fergdawgster(at)gmail.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Defending against DNS reflection amplification attacks
Are you willing to also help us do the hard work to do the right thing? I'm pretty sure the answer is Yes. So let's get busy, and stop finding reasons not to do the Right Thing. - ferg you may have a problem with your mail system. it seems to be re-sending messages from a decade ago, though they seem to have today's date. odd. perhaps, after the decade of us telling others how they should run their networks, an actual large operator who has deployed bcp38 can give us an analysis of the costs, capex and opex, and how they minimized them. randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Defending against DNS reflection amplification attacks
On Fri, Feb 22, 2013 at 7:13 PM, Randy Bush ra...@psg.com wrote: Are you willing to also help us do the hard work to do the right thing? I'm pretty sure the answer is Yes. So let's get busy, and stop finding reasons not to do the Right Thing. - ferg you may have a problem with your mail system. it seems to be re-sending messages from a decade ago, though they seem to have today's date. odd. Not at all odd -- we still have the same problems. I think that is indicative of several things, none of which I will expand on at this moment. perhaps, after the decade of us telling others how they should run their networks, an actual large operator who has deployed bcp38 can give us an analysis of the costs, capex and opex, and how they minimized them. I think we are far beyond that -- those are the things that have apparently already failed. It is several factors -- ignorance, negligence, among them. We as a community have not a good job of boiling it down to non-technical issues that those executives understand (with regards to revenue issues). I agree that we should have some hard stats on who has deployed these measures, and how it impacted them. Please speak up if you have any data. I can say, however, that we *do* have data on who has *not* deployed it, and how they are virtually criminally negligent for doing so. And don't get me wrong -- there are still some really hard problems. - ferg -- Fergie, a.k.a. Paul Ferguson fergdawgster(at)gmail.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Defending against DNS reflection amplification attacks
On Fri, Feb 22, 2013 at 7:38 PM, Randy Bush ra...@psg.com wrote: one urban definition of insanity is repeating the same thing expecting different results. i do not disagree with bcp38. i just don't think repeating that anyone who does not deploy it is an anti-internet asshole is going to get any more significent deployment. that approach has been failing for many years. randy I don't think I said anything even closely resembling that. I did said that we (community) are not doing a proper job of promoting proper behavior (and configuration) on the Internet. And it's not all about BCP38 either. There are tens of millions of open DNS recursive resolvers out there... - ferg -- Fergie, a.k.a. Paul Ferguson fergdawgster(at)gmail.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs