On 01/31/2013 01:37 PM, Robert McKay wrote:
> I used to be able to send IP packets using any source address
> directly through my home cable modem.. that hasn't been possible
> with any ISPs I've used in the last 5 years, but there probably are
> still a few somewhere in the world.
Some countries have much worse practice than the UK. Many of them are
much larger countries :-( At least one study:
http://www.senki.org/archives/879
suggests your "few" is somewhere in the 15-25% ballpark.
> Having said that, I think a lot of these kinds of attacks actually
> originate from complicit rogue malware ISPs that have deliberately
> setup servers such that they're able to spoof.. whether they have
> 'hacker clients' or 'hacked clients' or 'fake clients that (oops!)
> got hacked' or they're actually just doing it themselves is kindof
> beside the point. BCP-38 isn't going to help when people just turn
> it off.
Yes there are rogue ISPs, but never attribute wholly to malice what can
also be explained by cluelessness. Certainly cloud hosting seems to be a
bigger part of the problem than local loops here.
> Probably the most productive thing one can do is try and contact the
> operators of the relay/refelector nameservers and try to get them to
> stop answering requests from outside their own networks.
This only works for recursive resolvers - for authoritative nameservers,
the traffic profiles are such that it's very difficult to
distinguish between legitimate and attack traffic.
> It's slightly easier to trace this if it's your nameserver that's
> being used as one of the relay/reflectors rather than if you're the
> target since you're closer to the true source of the fake queries.
I know a number of large authoritative TLD operators who've been working
on this for some months now, and have yet to report any results. If you
know anyone or anything that can do better, I'd love to hear from them.
> I guess it's something we'll just have to live with for now.. :/
If we can reduce the effort/payback ratio for this type of attack by
widespread DNS rate-limiting deployment, there's a good chance the bad
guys will at least switch to other approaches.
Keith
