On Tue, 2 Oct 2007, John Kristoff wrote: > On Tue, 2 Oct 2007 21:59:33 -0400 (EDT) > Dean Anderson <[EMAIL PROTECTED]> wrote: > > > In fact, using authority servers is _less_ risk to the abuser, because > > to compose the reflector attacks, s/he has to crack into a server, > > craft a record, > > One can create a large record anwhere in the namespace. There are many > free DNS services available. If for some reason that won't work, > miscreants can and routinely do, use fraudulent financial credentials > to purchase DNS, hosting, or whatever they need elsewhere. If that > won't work, were you aware that there are numerous providers who for > one reason or other either cater to miscreants or will tolerate it > to the point that their only response is to simply terminate the > harmful service after a litany of complaints and the damage has been > done?
These all leave forensic trails. > > and search 3.7 million IP addresses for a list of reflectors. > > That is less than a /8. Piece of cake. It can be done with hardly > any effort and in almost no time at all. No? > > > All of these things leave a forensic trail. > > Not in the real world. Yes. In the real world. You are merely failing to distinguish the mere miscreant that doesn't merit investigation with the genuine criminal that does. You assume that because your miscreants aren't caught, that it is because it isn't possible to find them. In fact, it is __your__ powers that are limited, not the powers of the government to find real criminals. > As I've told you before, in practice this just isn't an issue for a > miscreant. Hardly anyone is logging or noticing valid, even repeated > queries, TXT or otherwise, that land in their address space. Yes, actually people are making such logs. That they don't use those logs to track your mere annoyance doesn't mean those logs aren't there. > Do you have a forensic trail of the queries I sent to your address > space and servers? I can confirm the timestamps and source addresses > offlist if you'd like. Could be in logs. I don't have any inclination to look. But I have noticed strange activity from ultradns before. > > Any one of which might lead back to the bad guy. > > Probably not. You think the bad guy is running probes from his home > computer? Doesn't matter. Perhaps you recall the 'great northeast power failure' a few years ago. It coincided with a virus release, and briefly, it was thought the virus was responsible. The virus wasn't responsible, but the suspicion caused the various LEAs to get the 14 year responsible for the virus. It took about 3 days to get the kid, which includes the time to become suspicious of the virus, and then begin to find it. > > At great effort, a DNS researcher has compiled a list of about 20000 > > open recursors by brute force search of 3.7 billion IP addressses. > > That does sound pretty sad. My experience doesn't echo that at all. > What effort and what researcher are you referring to? And give you a list of 20000 open recursors? I think not. > > I have built a tool. I have run it. And I have detected anycast open > > recursors. > > Is the tool, the data, a presentation or paper in a peer-reviewed > journal available? Not yet. The tool and the data will be published soon. > > Yes, I know that 90% was a example. But the 97% was a statistic from > > a real (optimistic) paper on HTTP anycast presented by a proponent > > on Nanog. 3% loss is unacceptable performance for root and tld > > nameservers. > > As far as I know, that was a presentation by a some folks who were > sharing their operational experience with TCP and anycast. Not a > formal refereed paper. Do you have a pointer to a paper? A paper presented to a professional organization, as Nanog claims to be, is indeed a professional paper, subject to professional standards. Peer-review is just an assurance that those standards were actually met. I don't know for sure whether Nanog does peer-review, though, it seems to have a committee that does that. http://www.nanog.org/mtg-0606/pdf/matt.levine.pdf -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop