On Thu, 11 Sep 2008, Kurt Erik Lindqvist wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > (CC trimmed) > > Having worked for a tier-1 provider and started two ISPs in the past, > I am certain that BCP38 won't be universally deployed as that is > operationally very hard and costly in larger networks. This > effectively means that there will still be attack vectors open using > recursive reflectors.
BCP38 non-deployment means that there will be all kinds of spoofed source IP address attacks, not just open recursor attacks. I have personal experience with some rooted systems, recently. The botnet software that I've seen on these rooted systems doesn't include programs for exploiting open recursors. > Attacks using open recursors are real. I don't dispute there have been open recursor attacks. However the attacks appear to be contrived and solicited, lacking in number, lacking in intensity, and lacking in actual damage. There is no problem that needs to be solved. There is serious 'unclean hands' on the proponents for having solicited attacks, and for profiting from closing open recursors with DNSSEC software sales. > I wish I could share data or evidence, but as is usually the case in > security operations, people are not very happy to share the details. Secret evidence that no one can share, and secret harms that no one has ever reported in the press or in security forums. Maybe we can have a super-secret 'recursors-are-evil' document that is never published, because the problem is so secret. > The best we have is what I assume is the data point from the largest > commercial observer and regular study (Danny's survey) from the global > operations forums. Dean has already decided that to disregard that > data, so I have no idea what other public source of data he would > trust. NANOG represents a tiny minority of the internet operations community, just in North America. As has already been pointed out, ARIN has about 3000 members, and NANOG represents a few hundred. NANOG has previously deceived the public on similar matters. http://www.iadl.org/nanog/nanog-story.html If this is a real problem, there should be some clamor from the thousands of ISPs worldwide. There is no such clamor. There is only a clamor from some DNSSEC advocates who have solicited open recursor attacks. Some of these folks have also previously deceived the public on similar matters, see http://www.iadl.org/maps/maps-story.html. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
