DNS Amplification Attacks... and a trivial proposal
Ronald F. Guilmette
rfg at tristatelogic.com
Fri Jun 14 03:05:25 UTC 2013
In message <20130614023140.7735D35E2671 at drugs.dv.isc.org>,
Mark Andrews <marka at isc.org> wrote:
>* Router manufactures have code to support BCP 38 though it defaults to off.
Well then, THAT is going to be a great help in solving the problem, isn't it?
>* Large numbers of ISPs claim they implement BCP 38.
I claimed that I was Charlie Chaplin once. Unfortunately, Robert Downey Jr.
beat me to it.
(My claim also did not help any of the organizations who were DDoS'd last
week in any material way.)
>* NAT boxes tend to reduce the number of viable sources. As more
> networks rather than hosts connect the IPv4 problem space will
> reduce.
At the risk of stating the obvious, putting a bunch of machines behind
a NAT box does not make the routed IPv4 addresses that those boxes were
formerly connected to disappear. Do you believe that everybody who
puts a box behind a NAT then immediately takes pains to insure that
_nothing_ will ever represent itself to the public Internet as occupying
that box's previous routed address ever again? Or is it just as likely,
if not moreso, that some new box will be put in the old box's place...
a new box which is even less likely than the old one to be a mere end-
luser client machine, incapable of reflecting anything, and vastly more
likly to be a brand new *server* of some sort... probably of a kind that
will suddenly make that IP address useful as a packet reflector, where
the prior box would not have been useful at all in that respect?
Regards,
rfg
More information about the bind-users
mailing list