Ronald,

You started this thread a bit off topic, but now you've wandered pretty far off into the rhetorical weeds. So I'm going to respond to you here so that the archives have a little more utility, then I'm going to let you have the last word.


On 06/14/2013 02:04 PM, Ronald F. Guilmette wrote:

In message <51baa714.9020...@dougbarton.us>,
Doug Barton <do...@dougbarton.us> wrote:

It's obvious you're frustrated (understandable), and enthusiastic
(commendable), but you  might want to consider dialing down your
"rhetoric" a bit.

Great idea!  I have only one small question... Would you be willing to
provide me an example to follow?  If so, please proceed.

So let me be a little more clear. You're engaging in frivolous arguments and borderline ad hominem attacks. Neither is particularly useful, and have only served to obscure whatever utility your proposals may have had.

You've had responses from people here who have been
working on this problem for years,

Yes.  On the order of 13 years it appears.

Regarding BCP 38, longer than that actually. And yes, progress has been made, but it's still an active problem (for reasons already discussed).

Based on recent reports, I am forced to conclude that the people of whom
you speak have not actually managed to solve the problem, even given all
that time.

Your conclusion is correct, even though your premise is faulty. In addition to the aforementioned problem of the costs associated with BCP 38, there is also the problem of new operators coming on to the scene that need education. It's not a problem that can be "solved," it requires an ongoing effort under the best of circumstances.

and have a deep understanding of it.*

Yes.  And that deep understanding has apparently not been successful in
resolving the problem, I think.

Again, false premise, this time with a bonus false conclusion. Understanding what causes a problem is different from being able to wave a magic wand and solve it. Especially with DNS which has a very long tail of deployed software that does not get upgraded.

On the other hand, maybe you think that
it _has_ been successful in solving the problem.  If so, all I can say
is that I would hate to see what failure looks like.

Nice rhetorical flourish, but again, totally unhelpful.

Trying to understand what they're telling you, and its implications,
would really help your situation.

I understand that you hold the view that it is self-evident that I must
not understand something, simply because I do not accept without
question the prevailing conventional view of this problem and its
possible solutions.  I do wonder however if the possibility, however
unlikely, ever crossed your mind that perhaps I _do_ actually understand
both the problem and the issues, and that I just happen to disagree
with the conventional wisdom with respect to these matters, a con-
ventional wisdom that, from where I am sitting at least, appears to
have so far succeeded in producing absolutely nothing in the way of
either a solution or even observable progress over all of the past
thirteen years.

Pardon my being blunt, but you have a fundamental lack of understanding about the basic facts at hand, therefore it would be hard for me to conclude that you do understand the problem. Regarding your proposed solution, you yourself dramatically revised it within a very short period after your first post, thus it would be reasonable to conclude that the best case scenario is that your understanding of the solution is evolving.

Please note, these observations are not meant to be pejorative. As Vernon pointed out you have "parachuted in" with "the one true solution," and you're berating anyone who dares to disagree with you. It would be helpful for you to look at the situation from our perspective.

No. You can still get pretty good amplification with 512 byte responses.

That is an interesting contention.  Is there any evidence of, or even any
reasonably reliable report of any DDoS actually being perpetrated IN PRACTIC
E
using strictly 512 byte packets?

You're asking the wrong question. Attackers don't go out of their way to
find open resolvers that they are sure will return 4k packets.

That also is an interesting contention.  May I ask what the factual basis
was for your conclusion here?

The overwhelming collected evidence of how botnets work, and how the attackers use them would be a good start. I don't follow the topic in depth, but I do try to keep up to speed on the highlights. You should probably spend some time learning about the details yourself. It's not my job to do your homework for you. :)

And yes, I understand that you feel (erroneously) that this is an "appeal to authority" fallacy. However there is a vast difference between "it's true because I say so," and, "Go do your own homework, because the facts exist to support that what I'm saying is true."

It's probably also worth noting that if your attitude was a little more collegial people would be more likely to help you.

The important point being (as others have made to you) that this is not
an EDNS0 issue.

Yes, I see that Vernon said that.  I continue to await the concrete
evidence that supports that view.

Again, it's a very handy rhetorical device to say, "Please prove that my absurd perspective is wrong before I will listen to you." Doesn't advance the conversation at all, but it is a handy position for you to take. :)

It's also worth noting that I realize this wasn't the
main point you were trying to make,

Well, that is something anyway.

Glad I could help.

If that's actually a real problem, then I am forced to assume that there
must have been numerous reliable reports of successful and devastating
DNS reflection DDoS attacks which pre-dated the widespread adoption of
EDNS0.

Again, you're making the wrong argument. As others have pointed out to
you, DNS amplification is just the attack du jour.

I wonder of you are familiar with the actual English translation of the
term "du jure".

Well according to Google it's, "the swear." But I'm not an expert in French.

I and others who have been attacked in this manner
might be inclined to take offense from your making light of the time
frame over which these kinds of attacks have been occuring.  I assure
you that it has been quite a bit more than a single day.  In fact it
has been closer to ten years.

So again, nice bombastic rhetoric, but totally unrelated to anything useful.

There is evidence at
the moment that the kiddies are already moving to chargen

I believe that the applicable British word is "bollix".

Actually I think you're looking for "bollocks." Bollix is something else entirely.

I see nothing
anywhere on the Internet that amounts to what any reasonable person would
call "evidence" to support your contention here.  There is a grand total
of -one- lone anecdotal report of a recent event involving what someone
apparently believed must have been chargen, but even that report is
utterly lacking in detail, including especially the most important
detail, i.e. whether or not that one (alleged) lone chargen ``attack''
produced anything at all in the way of damage or even noticable hardship
on the part of the ``victim''.

You're free to ignore whatever you don't think is enough evidence to satisfy you about a specific attack. However the larger point remains that DNS amplification is not the only way to DOS someone, and that if we solve that problem tomorrow the day after tomorrow there will be a new attack that uses the lack of BCP 38 to function.

(And by the way, I cannot help but observe that your contention that
chargen is the next great meance to society

Not at all what I said, and again, totally unhelpful rhetoric.

There is no quick fix.

I will settle for a slow one.

Then you really want to learn more about response rate limiting

I read Vixie's paper.  I do apologize for the fact that although I read
it and understood it, I reserve the right to disagree that it represents
the One, the True, the Only solution to the problem under discussion.

It's not, and the authors/proponents of RRL don't claim it is. But it will help in the long run, for the specific case of DNS amplification.

I understand and accept that my own personal lack of conventional re-
ligious convictions often puts me outside of whatever is considered
the "mainstream", but I think that you err when you assume that anyone
who is not immediately awestruck by the utter and undeniable brilliance of
Vixie's (still pending) "solution" must obviously not have understood
it properly.  Foreign though it may be to your conception, it is in fact
possible to both understand and to simply disagree.

It may surprise you to note that I rather often make the same point myself (disagreement != lack of understanding). However in this case you have not only demonstrated a non-trivial lack of understanding of the basic facts related to the topic; you have actively resisted attempts to educate you about them. That makes it rather difficult to take any conclusions you come to seriously.

But let us be specific.  Vixie's as yet unimplemented proposal involves
arranging to have machines that might participate in a DNS reflection
all voluntarily participate in "rate limiting", which kicks in when
when those machines themselves notice that something is amiss.  But
I would like to call your attention to something that Vernon said just
yesterday:

Sufficiently distributed or disbursed DNS reflection attacks (e.g. qps<1
at reflectors) are hard even to detect except at the victim.

I agree completely with Vernon on the above point.

Now, I would simply like to know how Vixie's rate limiting scheme solves
this problem.   If you can provide an answer to that question, please do
proceed.

Focusing on a specific aspect of the proposed solutions that doesn't seem to work to your satisfaction is (again) a nice rhetorical flourish, but it ignores the bigger picture. RRL will help, but it's not the complete solution, nor do its authors claim it is.

... but the real answer is still going to be BCP 38...

I have two responses to that:

1) Yes, yes, and yes.  BCP 38 is clearly the wave of the future, has been
for the pst 13 years, and unfortunately perhaps always will be.  I agree
completely that BCP 38 is a profoundly good *and* a profoundly necessary
thing.  We have no disagreement about that whatsoever.  I merely made
a modest suggestion for an idea, a scheme, that could perhaps assist to
mitigate DNS reflection attacks in the time period over the _coming_
13 years, during which we shall all most certainly continue to work,
diligently, towards the goal of BCP 38's universal implementation.

Yup, I understand what you're proposing (remember, disagreement != lack of understanding). The point that several people have tried to make to you now is that (like RRL) your proposal relies on people updating their software. In the DNS world we have a large problem with long tails of un-updated software continuing to be a nuisance. So to recap:

1. No matter how good they are, software-based solutions to the DNS amplification problem will take a very long time to be effective, where "very long time" is defined as at least a decade.

2. DNS amplification is only 1 in a long string of DDOS attacks, and as soon as the problem is fixed (or starts getting fixed in any kind of a meaningful way) other vectors will be developed and employed.

So at the end of the day, BCP 38, as frustrating as it is, is still the real answer.

2)  If indeed BCP 38 is ``the real answer'' then why is anybody wasting
any time, energy, or effort implementing, adopting, or even talking about
Vixie's rate limiting scheme?

Because every little bit helps, and RRL is actually useful for DDOS attacks against the authoritative server itself. There are likely other reasons, but those are the most obvious (to me anyway).

I am not persuaded that we have even really begun in ernest a process that
is likely to lead to that result.  Almost everybody, even 13 years later,
is still hoping for, and praying for, some utterly cost-free and pain-free
solution to drop down out of the sky like mana from heaven.

Again, you need to become more familiar with the efforts that have been
ongoing for years.

Again, I call your attention to what I, and presumably many many other
attack victims consider to be a rather salient point, i.e. that despite
having worked on the problem for a period already considerably longer
than the time it took NASA to put a man on the moon, the folks involved
in the "efforts" of which you speak do not seem to have produced anything
in the way of tangible results, or even tangible progress against the
problem in all that time.  Given this record of utter failure on the
part of the many illustrious experts who have so far been working the
problem, I do not think that it was either unreasonable or unwarranted
for me, or for anyone else for that matter, to have tossed another modest
little idea into the ring.  We could hardly do worse than the illustrious
experts have managed to do over all these years.

(I do not anticipate that my act of pointing out the nakedness of certain
potentates is likely to earn me universal accolades, but then I didn't
start this thread for love... at least not the love of anyone here.)

I get that you're really interested in knocking certain people down a peg or two, however your attitude combined with your ignorance just makes you come off as petty (or silly, for the more charitably inclined). If you really want to know why BCP 38 hasn't been deployed universally go educate yourself on the topic. It has nothing to do with lack of effort on the part of those that want to see it deployed, it has everything to do with the associated costs to the operators. If, on the other hand, your primary purpose is to insult people, well, good luck with that.

Mark also made an excellent point about legislation for BCP 38 being an
unfortunate necessity at this point.

Please do forgive me as I "misunderstand" again, but my own view is that
the excellence, or lack thereof, of Mark's point is at best debatable.

Pray tell when is this hypothetical future legislation likely to be
arriving on the President's desk?

Well Mark lives in Australia, so which president are you referring to?

And more to the point, how will adoption of said legislation, even if
achieved in our lifetimes, and even if achieved universally throughout
all of Europe, the Americas, and Africa,

Don't forget Australia!

going to affect in any way the
network configuration policies of either the South Koreans or, more
importantly, the Chinese?  Is the plan to simply hold our collective
breaths until we either turn blue or the Chinese give in and accept
our preferred way of doing things?  (That approach seems to have worked
out oh so well in the case of Darfur, don't cha think?)

So what I think you're saying is that there is no universal solution, and that efforts should be put in a wide variety of areas (like RRL) to try to mitigate the problem as much as possible ... or maybe it's me who misunderstands. :)

Doug

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to