Has there been any subsequent attacks since the motivating attack was reported?
Given that we now have some high-profile DNSSEC test zones (thanks to David Conrad), there is now no reason at all to use a recursor in a DDOS attack. One would merely make DNSSEC queries against a high-profile authority server. One can conduct attacks on well-known high-profile authority servers without the risk of exposure inherent in searching out reflectors. And I note that Paul Wouters previously asserted that 100:1 amplification is a non-issue. If so, then certainly reflector attacks are also a non-issue for the same reason. So, this draft is in search of a problem to solve. However, closing open recursors may promote the sales of DNS servers to people who didn't need them before, so I wonder about that. And can we expect to see people selling 'reflector blacklist' products to ISPs to block DNS to open recursors, merely because the recursors are open? Will we see 'reflector blacklist' people scanning for open recursors? This draft reminds me of the claims that open relays somehow promoted spam. In that case, claims persisted even though misconceptions about anonymity or other benefits for spammers were dispatched years ago, even though no genuine commercial bulk emailers used open relays after Sanford Wallace's failed attempt in 1997. Indeed, Wallace's abuse failed precisely because there was no anonymity offered. That incident demonstrated that there were no benefits in abusing open relays. But despite all these contrary facts, persons selling anti-spam software continued to assert that open relays somehow promoted spam. But their claims only promoted their own business---ORBS and Osirusoft were found to be abusing open relays, and then selling blocking services. ORBS was found in court (3 cases) to be using false statements about open relays for its financial benefit. For another example closer to the authors of the 'refectors-are-evil' document: it was also discovered that ISC and MAPS blacklist founder Paul Vixie was a director/owner of a Commercial Bulk Mail company called Whitehat, along with Rodney Joffe. Joffe was the founder of UltraDNS and Centergate Research, where Bill Manning is/was chief scientist. Vixie is/was a board member of Nominum while David Conrad was President of Nominum. Much of this and more is written up at http://www.iadl.org I don't think we should buy ISC's line about 'reflector attacks' either. The reported attacks seem to me to be artificially contrived. The justification for this document just doesn't hold water because anyone wanting to use DNS to conduct attacks would make use of other more damaging, more difficult to mitigate attacks that don't expose the attacker to possible discovery. The fundamental assertion underlying this document is that technology is somehow inherently evil. Technology is never evil. People might be evil. There are legitimate uses for open recursors, and that should continue to be recognized. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
