Well,
On 03/25/13 16:45, Jared Mauch wrote:
> On Mar 25, 2013, at 2:04 PM, Jay Ashworth <j...@baylink.com> wrote:
>
>> ----- Original Message -----
>>> From: "Jared Mauch" <ja...@puck.nether.net>
>>> Open resolvers pose a security threat.
>> Could you clarify, here, Jared?
>>
>> Do "open DNS customer-resolver/recursive servers" *per se* cause a problem?
>>
>> Or is it merely "customer zone servers which are misconfigured to recurse",
>> as has always been problematic?
>>
>> That is: is this just a reminder we never closed the old hole, or
>> notification of some new and much nastier hole?
> There have been some moderate size attacks recently that I won't go into
> detail here about. The IPs that are on the website are certainly being
> used/abused. A recent attack saw a 90% match rate against the "master list"
> here. This means your open resolver is likely being used.
>
> Anything to raise the bar here will minimize the impact to those networks
> under attack. Turn on RPF facing your colocation and high-speed server lans.
> We all know hosts become compromised. Help minimize the impact of these
> attacks by
>
> a) doing BCP-38
> b) locking down your recursive servers to networks you control
> c) locking down your authority servers to not provide the same answer 15x in
> a second to the same querying IP. If it's asking that same question 15x,
> then it's not you that's broken, it's that client. (Or it's being abused).
>
> - Jared
I think most of the audience here knows and are sensitive about it.
The problems come from from those who don't give a *shit*... And
they've been not giving a *shit* it for years.
The magic is in "how" to make them care.
Do the industry need to go "a la PCI-DSS" for Peers?
PS: My pico ISP is soooo on your list Jared =D Not for long hopefully.
-----
Alain Hebert aheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
