In message <15120.1371179...@server1.tristatelogic.com>, "Ronald F. Guilmette" writes: > > In message <20130614023140.7735d35e2...@drugs.dv.isc.org>, > Mark Andrews <ma...@isc.org> wrote: > > >* Router manufactures have code to support BCP 38 though it defaults to off. > > Well then, THAT is going to be a great help in solving the problem, isn't it?
Actually it is because it provides ISPs with a tools they can use in appropriate places. > >* Large numbers of ISPs claim they implement BCP 38. > > I claimed that I was Charlie Chaplin once. Unfortunately, Robert Downey Jr. > beat me to it. > > (My claim also did not help any of the organizations who were DDoS'd last > week in any material way.) But it does if the claims are valid reduce the number of machines that can be used to launch attacks from and it also applies peer presure on other ISPs. It also invalidates claims from ISP's that say they can't implement BCP 38 when push comes to shove. > >* NAT boxes tend to reduce the number of viable sources. As more > > networks rather than hosts connect the IPv4 problem space will > > reduce. > > At the risk of stating the obvious, putting a bunch of machines behind > a NAT box does not make the routed IPv4 addresses that those boxes were > formerly connected to disappear. But it does stop machines behind the NAT boxes from being able reflect packets off machines elsewhere on the net. Everything coming from the NAT has the NAT's address as its source. This turns the attack from a amplified, reflected, DDoS attack into a staight out DDoS attack (no amplification, no reflection). Attempts to lauch attacks from behind the NAT impact the user of the NAT and the would be reflector not third parties. > Do you believe that everybody who > puts a box behind a NAT then immediately takes pains to insure that > _nothing_ will ever represent itself to the public Internet as occupying > that box's previous routed address ever again? Or is it just as likely, > if not moreso, that some new box will be put in the old box's place... > a new box which is even less likely than the old one to be a mere end- > luser client machine, incapable of reflecting anything, and vastly more > likly to be a brand new *server* of some sort... probably of a kind that > will suddenly make that IP address useful as a packet reflector, where > the prior box would not have been useful at all in that respect? I'd rather have another reflector than a spoofed traffic source. There will always be reflectors. There doesn't have to be any sources of spoofed traffic. CPE vendors have been informed of the broken defaults in their boxes and new equipment will ship which is not broken. ISP's can filter inbound traffic directed at port 53 by default but allow a end user to remove the filter. They do this sort of thing for SMTP. Sensible defaults are making their way though the IETF so that CPE vendors have some guidance on how to configure their boxes for IPv6 so that are not reflector or other sources of badness. As more ISP's deploy IPv6 the number of bad IPv4 only CPE boxes will decrease. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
