On Thu, Mar 23, 2006 at 02:07:36PM +0100, Peter Dambier wrote:
>
> Please dont take ICANN censoring "XN--55QX5D.", "XN--FIQS8S." and
> "XN--IO0A7I." serious. Ment as a joke. Did not make it. Sorry!
I see. Thanks for the info.
My observation of human senses of humor is that humor is a mutual
re
On Thu, Mar 23, 2006 at 09:35:34AM +, [EMAIL PROTECTED] wrote:
> > > DNS looking glasses, in much the same way that we use web-form based
> > > BGP or traceroute looking glasses today.
> >
> > Open resolvers are far better then looking glasses to assess the state
> > of DNS, and we are campai
Please dont take ICANN censoring "XN--55QX5D.", "XN--FIQS8S." and
"XN--IO0A7I." serious. Ment as a joke. Did not make it. Sorry!
Joseph S D Yao wrote:
"You keep using that word. I do not think it means what you think it
means."
My dictionary says censor is from latin. A magistrate, lets c
> > DNS looking glasses, in much the same way that we use web-form based
> > BGP or traceroute looking glasses today.
>
> Open resolvers are far better then looking glasses to assess the state
> of DNS, and we are campaigning against them. You can't have it both
> ways. 8-(
What is the definiti
On Wed, Mar 22, 2006 at 08:33:55PM +0100, Florian Weimer wrote:
> * Peter Dambier:
...
> > How about alternative roots? ICANN does censor "XN--55QX5D.", "XN--FIQS8S."
> > and "XN--IO0A7I." already. You must use alternative roots to exchange emails
> > with people living in those domains.
>
> Unfo
* Peter Dambier:
>> This is not true. There has been some questionable advice by a
>> regulatory body, though. Most damage is done by ISPs which simply do
>> not adjust the filters to the moving target and run them as-is since
>> 2001 or so. Null routes tend to filter a different customer afte
Florian Weimer wrote:
* Andy Davidson:
DNS looking glasses, in much the same way that we use web-form based
BGP or traceroute looking glasses today.
Open resolvers are far better then looking glasses to assess the state
of DNS, and we are campaigning against them. You can't have it both
w
Florian Weimer wrote:
* Peter Dambier:
In germany censoring is commonplace. You have to use foraign resolvers
to escape it. There is a lot collateral dammage too - governement has
provided the tools.
This is not true. There has been some questionable advice by a
regulatory body, though.
* Andy Davidson:
> DNS looking glasses, in much the same way that we use web-form based
> BGP or traceroute looking glasses today.
Open resolvers are far better then looking glasses to assess the state
of DNS, and we are campaigning against them. You can't have it both
ways. 8-(
* Peter Dambier:
> In germany censoring is commonplace. You have to use foraign resolvers
> to escape it. There is a lot collateral dammage too - governement has
> provided the tools.
This is not true. There has been some questionable advice by a
regulatory body, though. Most damage is done by
On Tue, Mar 21, 2006 at 07:09:49AM +, Andy Davidson wrote:
> Joseph S D Yao wrote:
> [...]
> >service except perhaps to their own population, than against what can
> >you compare the DNS service that you are getting, to see whether it is
> >giving you what "the world" should be seeing?
>
> DN
Joseph S D Yao wrote:
[...]
service except perhaps to their own population, than against what can
you compare the DNS service that you are getting, to see whether it is
giving you what "the world" should be seeing?
DNS looking glasses, in much the same way that we use web-form based BGP
or tr
On Mon, 20 Mar 2006, Peter Dambier wrote:
> How about alternative roots? ICANN does censor "XN--55QX5D.", "XN--FIQS8S."
> and "XN--IO0A7I." already. You must use alternative roots to exchange emails
> with people living in those domains.
Stop with the bull$**+ (self-censored), trying to recast t
Joseph S D Yao wrote:
On Mon, Mar 20, 2006 at 11:30:46PM +0200, Gadi Evron wrote:
...
Where did that come from? I respect you but please, let's have a
technical discussion. This is important enough for us all to avoid the
flame-wars for now. Don't move this thread to politics or lunacies.
.
> Attacks such as this one have been happening for a long time now, non of
> us should be surprised. Two new things in the *recent* attacks are:
>
> 1. Wide exploitation in the wild, which draws attention.
that the press has been told about it this time, is new. the scope of the
attack, either
On Mon, Mar 20, 2006 at 11:30:46PM +0200, Gadi Evron wrote:
...
> Where did that come from? I respect you but please, let's have a
> technical discussion. This is important enough for us all to avoid the
> flame-wars for now. Don't move this thread to politics or lunacies.
...
Then leave gover
Geo. wrote:
Recursion the way it is set now with most DNS implementations, is the
problem being exploited by spoofing. It is true spoofing is bad for our
health, but that does not mean we should ignore what actually gets
exploited, which is recursive name servers open to the world.
Fixing the o
> Recursion the way it is set now with most DNS implementations, is the
> problem being exploited by spoofing. It is true spoofing is bad for our
> health, but that does not mean we should ignore what actually gets
> exploited, which is recursive name servers open to the world.
>
> Fixing the one
Sean Donelan wrote:
This goes beyond an individual protocol such as DNS. You can generate
blowback with many different protocols. Technology can take you only
so far, you also have to address the human element too.
1. Bad guys
2. Compromised computers (a few are really "owned" by the bad guys
On Fri, Mar 17, 2006 at 03:27:03PM -0800, [EMAIL PROTECTED] wrote:
> That ISPs still do not filter inbound traffic from their customers to prevent
> source spoofing is amazing.
The fact that there are vendors out there that do not support RPF
filtering is even more amazing.
---
Wayne Boucha
On Fri, 17 Mar 2006 [EMAIL PROTECTED] wrote:
> That ISPs still do not filter inbound traffic from their customers to
> prevent source spoofing is amazing.
Heck, some people still can't get reverse DNS setup correctly for their
IP addresses. And in-addr.arpa has been around for decades.
> host 6
That ISPs still do not filter inbound traffic from their customers to prevent source spoofing is amazing. Done closer to the ingress edge this filtering shouldnt be that expensive. Not everyone will do it, but atleast it will limit the places from where source address spoofing attacks originate.T
In this paper we address in detail how the recent DNS DDoS attacks work.
How they abuse name servers, EDNS, the recursive feature and UDP packet
spoofing, as well as how the amplification effect works.
Our study is based on packet captures (we provide with samples) and logs
from attacks on di
23 matches
Mail list logo
