DNS Amplification Attacks... and a trivial proposal

Fri Jun 14 02:31:40 UTC 2013

In message <14768.1371175949 at server1.tristatelogic.com>, "Ronald F. Guilmette" writes:
> 
> In message <20130614004155.72013.qmail at joyce.lan>, 
> "John Levine" <johnl at iecc.com> wrote:
> 
> >The real solution is BCP 38...
> 
> I agree completely John.  I cannot do otherwise.  But I have to ask the
> obvious elephant-in-the-room question... How is that comming along so far?

* Router manufactures have code to support BCP 38 though it defaults to off.
* Large numbers of ISPs claim they implement BCP 38.
* NAT boxes tend to reduce the number of viable sources.  As more
  networks rather than hosts connect the IPv4 problem space will
  reduce.  CGN's will have a similar impact.

Future:
* SIDR will make it easier for multi-homed nets to automatically configure
  border acls.
* Adding defaults to home CPE devices to default to only allow out source
  addresses learnt through PD or configured RAs will help.

> Maybe we could find worse ways to spend our time than developing a Plan B
> and/or acquiring another basket to put a few of our eggs into.
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  The idea I had was that a reasonably simple anti-DDoS protocol ex-
> tension could be codified and rolled out along with regular software
> updates, and could thus eventually be in place even without the conscious
> cooperation of those system and network administrators who have, by their
> actions, already proven themselves to be largely if not entirely un-
> cooperative, even with common sense steps to foster and protect the public
> good.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org