Well,

On 03/25/13 16:45, Jared Mauch wrote:
> On Mar 25, 2013, at 2:04 PM, Jay Ashworth <j...@baylink.com> wrote:
>
>> ----- Original Message -----
>>> From: "Jared Mauch" <ja...@puck.nether.net>
>>> Open resolvers pose a security threat.
>> Could you clarify, here, Jared?
>>
>> Do "open DNS customer-resolver/recursive servers" *per se* cause a problem?
>>
>> Or is it merely "customer zone servers which are misconfigured to recurse",
>> as has always been problematic?
>>
>> That is: is this just a reminder we never closed the old hole, or 
>> notification of some new and much nastier hole?
> There have been some moderate size attacks recently that I won't go into 
> detail here about.  The IPs that are on the website are certainly being 
> used/abused.  A recent attack saw a 90% match rate against the "master list" 
> here.  This means your open resolver is likely being used.
>
> Anything to raise the bar here will minimize the impact to those networks 
> under attack.  Turn on RPF facing your colocation and high-speed server lans. 
>  We all know hosts become compromised.  Help minimize the impact of these 
> attacks by 
>
> a) doing BCP-38
> b) locking down your recursive servers to networks you control
> c) locking down your authority servers to not provide the same answer 15x in 
> a second to the same querying IP.  If it's asking that same question 15x, 
> then it's not you that's broken, it's that client.  (Or it's being abused).
>
> - Jared

    I think most of the audience here knows and are sensitive about it.

    The problems come from from those who don't give a *shit*... And
they've been not giving a *shit* it for years.

    The magic is in "how" to make them care.

    Do the industry need to go "a la PCI-DSS" for Peers?

    PS: My pico ISP is soooo on your list Jared =D  Not for long hopefully.

-----
Alain Hebert                                aheb...@pubnix.net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443


Reply via email to