Home page logo

nanog logo nanog mailing list archives

Re: DOS attack against DNS?
From: Paul Vixie <vixie () vix com>
Date: 16 Jan 2006 17:33:56 +0000

Mark_Andrews () isc org (Mark Andrews) writes:

      For repeat offenders create a list of networks that won't
      implement BCP 38 and collectively de-peer with them telling
      them why you are de-peering and what is required to
      re-establish connectivity.  It is in everyones interests
      to do the right thing here.

people inside one of the largest networks have told me that they have
customers who require the ability to bypass BCP38 restrictions, and that
they will therefore never be fully BCP38 compliant.  i've asked for BCP38
to become the default on all their other present and future customers but
then there was whining about bankruptcy, old outdated equipment, and so on.
sadly, there's no way to de-peer this network, or any other multinational,
and so there will be no "peer pressure" on them to implement BCP38.

so, it's either not in everyone's interests to do the right thing, or there
is still a huge variance in what's considered "the right thing".  either
way, we're (the internet is) SCREWED until we (that's "we all") fix this.

(if you're not seeing spoofed-source attacks, bully for you!  i didn't see
one today, either, but leaving this tool in the bad-guy toolbox makes us all
unsafe, no matter how much or how little they may be using it this day/year.)
Paul Vixie

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]