-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
(CC trimmed) Having worked for a tier-1 provider and started two ISPs in the past, I am certain that BCP38 won't be universally deployed as that is operationally very hard and costly in larger networks. This effectively means that there will still be attack vectors open using recursive reflectors. Attacks using open recursors are real. I wish I could share data or evidence, but as is usually the case in security operations, people are not very happy to share the details. The best we have is what I assume is the data point from the largest commercial observer and regular study (Danny's survey) from the global operations forums. Dean has already decided that to disregard that data, so I have no idea what other public source of data he would trust. I support the publication of the document. - - kurtis - On 9 sep 2008, at 22.19, Ron Bonica wrote: > Dean, > > Thanks for this proposal. At his point, I will sit quietly for a while > and let the WG comment on whether they think that your proposed > alternative mitigation is adequate. On Friday, the WG chairs will > gauge > consensus and I will take appropriate action. > > Ron > > > Dean Anderson wrote: > >> >> Mitigation of open resolver attacks is well described, both by >> BCP38 and >> by the previous comparision with the more damaging DNS attack. >> >> If one is attacked by open recursors, the mitigation during the >> attack >> is to filter the packets from the open recursors during the attack. >> Filtering open recursors usually has little or no damage to either >> the >> recursor operator or the target of the attack. This is the typical >> response by ISPs to all kinds of packet flooding attacks. There is >> nothing special about open recursor attacks that requires any kind of >> special handling. >> >> --Dean > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjIxvAACgkQAFdZ6xrc/t7q5gCeOBek++SdAAICmaXD6co3qV8A LXsAn2mEHBXaJSWD19YX7vPEAv5UhWbR =u+W6 -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
