On Tue, Mar 26, 2013 at 7:25 PM, Jon Lewis <jle...@lewis.org> wrote: > On Tue, 26 Mar 2013, Matthew Petach wrote: > >> The concern Valdis raised about securing recursives while still >> being able to issue static nameserver IPs to mobile devices >> is an orthogonal problem to Owen putting rate limiters on >> the authoritative servers for he.net. If we're all lighting up >> pitchforks and raising torches, I'd kinda like to know at which >> castle we're going to go throw pitchforks. > > > BCP38. As you can see from the wandering conversation, there are many > attack vectors that hinge on the ability to spoof the source address, and > thereby misdirect responses to your DDoS target. BCP38 filtering stops them > all. Or, we can ignore BCP38 for several more years, go on a couple years > crusade against open recursive resolvers, then against non-rate-limited > authoratative servers, default public RO SNMP communities, etc. >
And I don't plan on being around doing this sort of work in another 10+ years, so let's stop farting around. :-p - ferg -- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com