On Tue, 2 Sep 2008, Danny McPherson wrote: > On Sep 2, 2008, at 9:47 AM, Joe Abley wrote: > >> > >> There is "usually" no harm to anyone from open resolvers. No one has > >> reported any further attacks since this draft was conceived. > > > > That is not true. It's possible that the forums in which such attacks > > are discussed are not available to you, of course. I say that not as > > some kind of thinly-veiled attack, but merely as an observation that > > security ops forums tend not to be public. > > I'd note that this 2008 Infrastructure Security Survey collection > is about done, and the largest reported attack over the past > 12 months was just north of 40 Gbps (yes, I meant to type "forty") > and employed DNS-based reflective amplification vectors. > > Others reported these attacks well above 10 Gbps in the past > 12 months as well.. > > Report to be publish in next month or two.
I find this hard to believe from three standpoints: 1) the expected number of open DNS recursors and their collective bandwidth doesn't seem to be large enough to support a 40Gbps attack. 2) Why would anyone capble of programming bother searching for open recursors (with often small connection speeds) when they can use 100+ root servers with large amplification factors and high bandwidth connections at key exchange points? 3) Why aren't these attacks being prosecuted? Someone searching for open recursors is bound to be noticed. The only people I know of searching for open recursors is UltraDNS and a scientific group at Cornell. I'll wait to see the report. It will also be interesting to find out who was surveyed. If it turns out to be primarilly NANOG (the source of the original reports), I'll be more dubious. Mr. McPherson is associated with NANOG, attending 18 meeting as of NANOG 42; Only 46 people have attended more NANOG meetings than Mr. McPherson. Comparing NANOG participation with ARIN membership shows that NANOG makes up a very small portion of internet service providers. NANOG has also been the scene for other deceptions of the internet community. See http://www.iadl.org/nanog/nanog-story.html for more information. Perhaps what is needed is a clearinghouse for reporting and stopping DNS scanners; besides preventing abuse, such a clearinghouse could be useful in identifying and prosecuting the abusers. Scan detection and abuse complaint is what drove open relay abusers out of business. A useful technique for scan detection is a non-production special "server". Scanners show up in the logs; no one else does. Dnscache, BIND, and PowerDNS all have necessary the logging capabilities. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
