On Tue, 2 Oct 2007 21:59:33 -0400 (EDT) Dean Anderson <[EMAIL PROTECTED]> wrote:
> In fact, using authority servers is _less_ risk to the abuser, because > to compose the reflector attacks, s/he has to crack into a server, > craft a record, One can create a large record anwhere in the namespace. There are many free DNS services available. If for some reason that won't work, miscreants can and routinely do, use fraudulent financial credentials to purchase DNS, hosting, or whatever they need elsewhere. If that won't work, were you aware that there are numerous providers who for one reason or other either cater to miscreants or will tolerate it to the point that their only response is to simply terminate the harmful service after a litany of complaints and the damage has been done? > and search 3.7 million IP addresses for a list of reflectors. That is less than a /8. Piece of cake. It can be done with hardly any effort and in almost no time at all. No? > All of these things leave a forensic trail. Not in the real world. As I've told you before, in practice this just isn't an issue for a miscreant. Hardly anyone is logging or noticing valid, even repeated queries, TXT or otherwise, that land in their address space. Do you have a forensic trail of the queries I sent to your address space and servers? I can confirm the timestamps and source addresses offlist if you'd like. > Any one of which might lead back to the bad guy. Probably not. You think the bad guy is running probes from his home computer? > At great effort, a DNS researcher has compiled a list of about 20000 > open recursors by brute force search of 3.7 billion IP addressses. That does sound pretty sad. My experience doesn't echo that at all. What effort and what researcher are you referring to? > I have built a tool. I have run it. And I have detected anycast open > recursors. Is the tool, the data, a presentation or paper in a peer-reviewed journal available? > Yes, I know that 90% was a example. But the 97% was a statistic from a > real (optimistic) paper on HTTP anycast presented by a proponent on > Nanog. 3% loss is unacceptable performance for root and tld nameservers. As far as I know, that was a presentation by a some folks who were sharing their operational experience with TCP and anycast. Not a formal refereed paper. Do you have a pointer to a paper? John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop