Hello,
I posted this to httpd.apache.org but have not had any response, so I think it
may be more related to BIND than DNS. Apologies for the cross-post.
I have setup two webservers on my network, one connected directly to the ISP
with an ethernet card installed to bring it to the router where,
Ronald,
It's obvious you're frustrated (understandable), and enthusiastic
(commendable), but you might want to consider dialing down your
"rhetoric" a bit. You've had responses from people here who have been
working on this problem for years, and have a deep understanding of it.*
Trying to u
In message <15120.1371179...@server1.tristatelogic.com>, "Ronald F. Guilmette"
writes:
>
> In message <20130614023140.7735d35e2...@drugs.dv.isc.org>,
> Mark Andrews wrote:
>
> >* Router manufactures have code to support BCP 38 though it defaults to off.
>
> Well then, THAT is going to be a g
In message <20130614032434.72450.qm...@joyce.lan>,
"John Levine" wrote:
>>So, may I infer that rather than being put off until the end of the
>>century, which seemed to be the previous implementation timeline,
>>pervasive implementation of BCP 38 may now be expected at around the
>>time that 32
>So, may I infer that rather than being put off until the end of the
>century, which seemed to be the previous implementation timeline,
>pervasive implementation of BCP 38 may now be expected at around the
>time that 32-bit UNIX clocks are anticipated to wrap-around to negative?
Perhaps, but I thi
> From: "Ronald F. Guilmette"
} That is an interesting contention. Is there any evidence of, or even any
} reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE
} using strictly 512 byte packets?
}
} If that's actually a real problem, then I am forced to assume that there
In message <20130614023140.7735d35e2...@drugs.dv.isc.org>,
Mark Andrews wrote:
>* Router manufactures have code to support BCP 38 though it defaults to off.
Well then, THAT is going to be a great help in solving the problem, isn't it?
>* Large numbers of ISPs claim they implement BCP 38.
I c
In message <20130614022305.72272.qm...@joyce.lan>,
"John Levine" wrote:
>>>The real solution is BCP 38...
>>
>>I agree completely John. I cannot do otherwise. But I have to ask the
>>obvious elephant-in-the-room question... How is that comming along so far?
>
>Based on discussions I've had wi
In message <20130614020930.c1c1c35e2...@drugs.dv.isc.org>,
Mark Andrews wrote:
>Well the process has started. BCP 38. If you want hurry it along
>complain to your local politician that they need to consider drafting
>legislation that requires ISP's to implement BCP 38 in their networks.
See!
In message <201306140126.r5e1quqj032...@calcite.rhyolite.com>,
Vernon Schryver wrote:
>Indeed. As many have mentioned, DNS reflection attacks are merely
>the current fad...
So it is "just a fad".
Whew! That's a load off! I'm glad that somebody told me. Fortunately
there is still time for
In message <14768.1371175...@server1.tristatelogic.com>, "Ronald F. Guilmette"
writes:
>
> In message <20130614004155.72013.qm...@joyce.lan>,
> "John Levine" wrote:
>
> >The real solution is BCP 38...
>
> I agree completely John. I cannot do otherwise. But I have to ask the
> obvious eleph
>>The real solution is BCP 38...
>
>I agree completely John. I cannot do otherwise. But I have to ask the
>obvious elephant-in-the-room question... How is that comming along so far?
Based on discussions I've had with people who work at large networks
and in policy positions in various government
In message <20130614004155.72013.qm...@joyce.lan>,
"John Levine" wrote:
>The real solution is BCP 38...
I agree completely John. I cannot do otherwise. But I have to ask the
obvious elephant-in-the-room question... How is that comming along so far?
Maybe we could find worse ways to spend ou
Well the process has started. BCP 38. If you want hurry it along
complain to your local politician that they need to consider drafting
legislation that requires ISP's to implement BCP 38 in their networks.
Require BCP 38 implementation by all parties as part of trade
negotiation.
Doing anythin
In message <51ba355b.10...@dougbarton.us>,
Doug Barton wrote:
>No. You can still get pretty good amplification with 512 byte responses.
That is an interesting contention. Is there any evidence of, or even any
reasonably reliable report of any DDoS actually being perpetrated IN PRACTICE
using
> From: "John Levine"
> The real solution is BCP 38, to keep spoofed packets out of the
> network in the first place.
Indeed. As many have mentioned, DNS reflection attacks are merely
the current fad, driven partly by 10X or higher amplification
(<50 byte queries, >500 byte responses) and par
In message <201306131753.r5dhrwon093...@calcite.rhyolite.com>,
Vernon Schryver wrote:
>I think that the use of RRL on some roots shows that keeping state
>is not a problem if the state keeping is not utterly stupid.
(I'm not sure what, if anything, I should be reading into that last bit
of a p
Just a thought, below:
On 14/06/13 2:41, Ronald F. Guilmette wrote:
> In message <51b9fb6a.1090...@tiggee.com>,
> David Miller wrote:
>
>> This could lead to wrong headed statements like, "Yes, we sent X GB of
>> traffic at your network.
> Yes.
>
> Last night I reconsidered at some length the sche
In message <51b9fb6a.1090...@tiggee.com>,
David Miller wrote:
>A system that requires the victim to take action to stop attacks...
You mean like the defacto "system" we have right now?
>... might be misconstrued by some to be abdicating the responsibility
>of the upper four levels.
Ummm... I
>The entire problem is fundamentally a result of the introduction of EDNS0.
>Wwouldn't you agree?
No, that just makes it a little easier. You pound the patoot out of
someone with 512 byte packets just as much as you can with 4K packets,
just by making your attacking botnet bigger.
The real solut
In message <51b9fb6a.1090...@tiggee.com>,
David Miller wrote:
>This could lead to wrong headed statements like, "Yes, we sent X GB of
>traffic at your network.
Yes.
Last night I reconsidered at some length the scheme I put forward yesterday.
(Please note that I am very deliberately calling it
On 06/13/2013 02:01 PM, Ronald F. Guilmette wrote:
The entire problem is fundamentally a result of the introduction of EDNS0.
Wwouldn't you agree?
No. You can still get pretty good amplification with 512 byte responses.
There are 2 causes of this problem, lack of BCP 38, and improperly
secure
In message <51b991f7.9070...@imperial.ac.uk>,
Phil Mayers wrote:
>On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:
>> 2) Has anyone ever proposed adding to the DNS protocol something vaguely
>> reminicent of the old ICMP Source Quench? If so, what became of that
>> proposal?
>...
>> Basical
- Original Message -
>
> > Any comments and best practice solution info very welcome.
>
> Folks with significant requirements with regard to high availability
> are likely to put a hardware loadbalancer running a VIP which
> receives DNS requests and balances it onto a pool of reals (ak
> From: David Miller
> >> Basically, the whole idea is just simply to allow a victim to switch to
> >> "safe TCP only mode" with all of the intermediaries that are
> >> participating
> >
> > The problem with that idea is that it needs software updates on both
> > the reflecting DNS server and the
On 06/13/2013 05:33 AM, Phil Mayers wrote:
> On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:
>
>> 1) If everyone on the planet were to somehow magically and
>> immediately be
>> converted over to DNSSEC tomorrow, then would DNS amplification attacks
>> become a thing of the past, starting tomor
On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:
1) If everyone on the planet were to somehow magically and immediately be
converted over to DNSSEC tomorrow, then would DNS amplification attacks
become a thing of the past, starting tomorrow? Does DNSSEC "solve" the
DNS amplification attack p
27 matches
Mail list logo
