Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DOS attack against DNS?

  • From: Mark Andrews
  • Date: Mon Jan 16 18:29:06 2006

In article <> you write:
>On Mon, 16 Jan 2006, Paul Vixie wrote:
>> (Mark Andrews) writes:
>>> 	For repeat offenders create a list of networks that won't
>>> 	implement BCP 38 and collectively de-peer with them telling
>>> 	them why you are de-peering and what is required to
>>> 	re-establish connectivity.  It is in everyones interests
>>> 	to do the right thing here.
>> people inside one of the largest networks have told me that they have
>> customers who require the ability to bypass BCP38 restrictions, and that
>> they will therefore never be fully BCP38 compliant.  i've asked for BCP38
>> to become the default on all their other present and future customers but
>> then there was whining about bankruptcy, old outdated equipment, and so on.
>> sadly, there's no way to de-peer this network, or any other multinational,
>> and so there will be no "peer pressure" on them to implement BCP38.
>Consider people in the rest of the world who may purchase simplex 
>satellite links. By definition they inject traffic in places they aren't 
>announcing their route from.

	But they don't need to be able to source all of 0/0.  They
	need to be able to source particular addresses which they
	have.  If the end point of the satellite link is dynamic
	then they need to souce netblocks.  The satellite company
	should be able to supply a complete list so filters can be
	setup appropriately.

	BCP 38 isn't all or nothing.  You do the best you can.  You
	limit the exposure.

	In this case if you get spoofed traffic from the satellite
	company's addresses you still talk to the satellite company
	to address the problem.  If they have static address
	assignment it should be a easy job to trace the offending
	traffic back.  If they have dynamic assignment then things
	get harder.

	It should be possible to prevent any "owned" box (other
	than a router) spewing out spoofed traffic to the net as a
	whole.  "owned" routers are a different kettle of fish.

	This is not a new problem.  Sooner or later goverments will
	mandate this sort of filtering if the networking community
	as a whole don't do it and they may not leave room to support
	satellite down links.  Think manditory strict unicast reverse
	path filtering everywhere.

>> so, it's either not in everyone's interests to do the right thing, or there
>> is still a huge variance in what's considered "the right thing".  either
>> way, we're (the internet is) SCREWED until we (that's "we all") fix this.
>> (if you're not seeing spoofed-source attacks, bully for you!  i didn't see
>> one today, either, but leaving this tool in the bad-guy toolbox makes us all
>> unsafe, no matter how much or how little they may be using it this day/year.)
>Joel Jaeggli  	       Unix Consulting
>GPG Key Fingerprint:     5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.