Well, On 03/25/13 16:45, Jared Mauch wrote: > On Mar 25, 2013, at 2:04 PM, Jay Ashworth <j...@baylink.com> wrote: > >> ----- Original Message ----- >>> From: "Jared Mauch" <ja...@puck.nether.net> >>> Open resolvers pose a security threat. >> Could you clarify, here, Jared? >> >> Do "open DNS customer-resolver/recursive servers" *per se* cause a problem? >> >> Or is it merely "customer zone servers which are misconfigured to recurse", >> as has always been problematic? >> >> That is: is this just a reminder we never closed the old hole, or >> notification of some new and much nastier hole? > There have been some moderate size attacks recently that I won't go into > detail here about. The IPs that are on the website are certainly being > used/abused. A recent attack saw a 90% match rate against the "master list" > here. This means your open resolver is likely being used. > > Anything to raise the bar here will minimize the impact to those networks > under attack. Turn on RPF facing your colocation and high-speed server lans. > We all know hosts become compromised. Help minimize the impact of these > attacks by > > a) doing BCP-38 > b) locking down your recursive servers to networks you control > c) locking down your authority servers to not provide the same answer 15x in > a second to the same querying IP. If it's asking that same question 15x, > then it's not you that's broken, it's that client. (Or it's being abused). > > - Jared
I think most of the audience here knows and are sensitive about it. The problems come from from those who don't give a *shit*... And they've been not giving a *shit* it for years. The magic is in "how" to make them care. Do the industry need to go "a la PCI-DSS" for Peers? PS: My pico ISP is soooo on your list Jared =D Not for long hopefully. ----- Alain Hebert aheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443