In message <ae105312-3108-4b0b-8445-7116b84ec...@arbor.net>, "Dobbins, Roland" writes: > On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote: > > > Named already takes proper precautions by default. Recursive service is = > limited to directly connected networks by default. The default > > was first changed in 9.4 (2007) which is about to go end-of-life once the= > final wrap up release is done. > > This alone isn't enough. There are quite a few other things folks must do = > from an architectural and operational standpoint which aren't found in name= > d.conf. > > > The real problem is that many ISP's don't do effective ingress/egress fil= > tering. > > Well, no. The real problem is a protocol set/implementation which lends it= > self so readily to spoofing in the first place, followed (as you say) by IS= > P/endpoint network inattention to anti-spoofing, followed by protocols whic= > h make use of the eminently-spoofable UDP for a critical service.
And even if DNS/TCP was use by default machines can still get DoS'd because IP is spoofable. This one looks like a direct attack on the machine as there are multiple source addresses rather than a reflector attack unless they are attempting to attack thousands of sites simultaniously. > > This prevents compromised machines impersonating other machines. > > Concur, but see above - spoofing is the symptom, not the disease. > > ----------------------------------------------------------------------- > Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> > > The basis of optimism is sheer terror. > > -- Oscar Wilde > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
