Re: [dns-operations] bind-9.9.3rc2 ANY+TCP patch

2013-05-16 Thread Paul Vixie
... Vernon Schryver wrote: > ... > > ... We are talking about testing for (and perhaps > mitigating) attack packets. A "positive" for our test is "this packet > is an attack packet." Deciding that a packet is not an attack packet > is a "negative". An accurate test or determination that a pa

Re: [dns-operations] bind-9.9.3rc2 ANY+TCP patch

2013-05-16 Thread Mike Hoskins (michoski)
-Original Message- From: Vernon Schryver Date: Thursday, May 16, 2013 11:30 AM To: "dns-operati...@mail.dns-oarc.net" Subject: Re: [dns-operations] bind-9.9.3rc2 ANY+TCP patch >That is mistaken. We are talking about testing for (and perhaps >mitigating) attack packets. A "positive" fo

Re: [dns-operations] bind-9.9.3rc2 ANY+TCP patch

2013-05-16 Thread Vernon Schryver
> From: Matthijs Mekking > > https://www.google.com/search?q=false+positive > > http://www.mathsisfun.com/data/probability-false-negatives-positives.html > > https://en.wikipedia.org/wiki/Type_I_and_type_II_errors > > So a false positive is a type I error, aka "the incorrect rejection of a > tru

Re: [dns-operations] bind-9.9.3rc2 ANY+TCP patch

2013-05-16 Thread Matthijs Mekking
On 05/16/2013 03:31 PM, Matthijs Mekking wrote: On 05/16/2013 02:54 PM, Vernon Schryver wrote: From: Matthijs Mekking https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0 Page #12 I also wonder about the definition of "false positive." The

Re: [dns-operations] bind-9.9.3rc2 ANY+TCP patch

2013-05-16 Thread Matthijs Mekking
On 05/16/2013 02:54 PM, Vernon Schryver wrote: From: Matthijs Mekking https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0 Page #12 I also wonder about the definition of "false positive." There are many plausible candidates. I agree. Basic

Re: [dns-operations] bind-9.9.3rc2 ANY+TCP patch

2013-05-16 Thread Vernon Schryver
> From: Matthijs Mekking > >> https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0 > >> > >> Page #12 > > I also wonder about the definition of "false positive." There are many > > plausible candidates. > > I agree. Basically it is a query from an

Re: [dns-operations] bind-9.9.3rc2 ANY+TCP patch

2013-05-16 Thread Matthijs Mekking
On 05/16/2013 12:52 AM, Vernon Schryver wrote: From: Jared Mauch Because of the FP ratio presented at the DNS-OARC meeting this past week. It's suitable on a recursive resolver, where RRL is most effective on an authority. See https://indico.dns-oarc.net/indico/getFile.py/access?contribId=

[dns-operations] DNS amplification attacks in draft-ietf-savi-threat-scope-08

2013-05-16 Thread Stephane Bortzmeyer
IETF document (approved by IESG and currently in the RFC Editor Queue) contains: > DNS is one of the common targets of such attacks. The > amplification factor observed for attacks targeting DNS root and > othe