On 01/31/2013 09:50 AM, Graeme Fowler wrote:
> On Thu, 2013-01-31 at 09:32 -0500, Keith Mitchell wrote:
>>
>> http://www.redbarn.org/dns/ratelimits
>
> It's worth mentioning that DNS RRL prevents authoritative servers
> contributing to amplification attacks rather than helping at the
> target end. It could be described as making your authoritative
> servers less "attractive" to the attackers, because they won't
> generate anywhere near the same amount of traffic.
Indeed - there's a whole bunch of current and potential vectors for DNS
amplification attacks (IN/ANY, DNSSEC,...), and simpler vector-specific
attempts to mitigate, whether at the authoritative or victim end, are
just going to result in the attackers rapidly switching to another
vector. This would mean the cost of dealing with these attacks not
going away.
The more authoritative servers that deploy the rate-limiting or similar
techniques, the less attack surface there is for the bad guys, and the
more expensive it is for _them_ to mount the attacks.
On 01/31/2013 10:29 AM, Jon Morby wrote:
> What needs to happen with BCP38/uRPF is that it needs to be burned
> into the consumer CPE, ISPs certainly need to enforce it on their
> customers connections but this needs to happen at the OEM level
> directly at manufacturing .. not at the ISP level (at least
> initially).
This is a nice idea, but in a world where CPE vendors routinely by
default leave DNS resolver and UPNP (*) ports completely open to the
entire world on the WAN side, this feels like at least as big a mountain
to climb...
> The manufacturers can sell uRPF as a plus point (a feature no less!)
Unfortunately most CPE vendors appear to be engaged in a race to the
bottom rather than doing value-add :-(
Keith
(*) In case anyone didn't already see
http://www.kb.cert.org/vuls/id/922681
