Hello All:
> From: Paul Vixie <[EMAIL PROTECTED]> > Date: Tue, 29 Jul 2008 01:24:43 +0000 > To: Nanog <[EMAIL PROTECTED]> > Subject: Re: Great Suggestion for the DNS problem...? > > [EMAIL PROTECTED] ("Jay R. Ashworth") writes: > >> [ unthreaded to encourage discussion ] >> >> On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote: >>> Nameservers could incorporate poison detection... >>> >>> Listen on 200 random fake ports (in addition to the true query ports); >>> if a response ever arrives at a fake port, then it must be an attack, >>> read the "identified" attack packet, log the attack event, mark the >>> RRs mentioned in the packet as "poison being attempted" for 6 hours; >>> for such domains always request and collect _two_ good responses >>> (instead of one), with a 60 second timeout, before caching a lookup. >>> >>> The attacker must now guess nearly 64-bits in a short amount of time, >>> to be successful. Once a good lookup is received, discard the normal >>> TTL and hold the good answer cached and immutable, for 6 hours (_then_ >>> start decreasing the TTL normally). >> >> Is there any reason which I'm too far down the food chain to see why >> that's not a fantastic idea? Or at least, something inspired by it? > > at first glance, this is brilliant, though with some unimportant nits. > > however, since it is off-topic for nanog, i'm going to forward it to > the [EMAIL PROTECTED] mailing list and make detailed comments > there. > -- Still off topic, but perhaps a BGP feed from Cymru or similar to block IP addresses on the list? Regards, Mike