North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Great Suggestion for the DNS problem...?
- From: Matt F
- Date: Mon Jul 28 22:44:24 2008
What would the ip-blocking BGP feed accomplish? Spoofed source
addresses are a staple of the DNS cache poisoning attack.
Worst case scenario, you've opened yourself up to a new avenue of attack
where you're nameservers are receiving spoofed packets intended to
trigger a blackhole filter, blocking communication between your network
and the legitimate owner of the forged ip address.
Michael Smith wrote:
From: Paul Vixie <vixie@xxxxxxx>
Date: Tue, 29 Jul 2008 01:24:43 +0000
To: Nanog <nanog@xxxxxxxxx>
Subject: Re: Great Suggestion for the DNS problem...?
jra@xxxxxxxxxxx ("Jay R. Ashworth") writes:
[ unthreaded to encourage discussion ]at first glance, this is brilliant, though with some unimportant nits.
On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote:
Nameservers could incorporate poison detection...Is there any reason which I'm too far down the food chain to see why
Listen on 200 random fake ports (in addition to the true query ports);
if a response ever arrives at a fake port, then it must be an attack,
read the "identified" attack packet, log the attack event, mark the
RRs mentioned in the packet as "poison being attempted" for 6 hours;
for such domains always request and collect _two_ good responses
(instead of one), with a 60 second timeout, before caching a lookup.
The attacker must now guess nearly 64-bits in a short amount of time,
to be successful. Once a good lookup is received, discard the normal
TTL and hold the good answer cached and immutable, for 6 hours (_then_
start decreasing the TTL normally).
that's not a fantastic idea? Or at least, something inspired by it?
however, since it is off-topic for nanog, i'm going to forward it to
the namedroppers@xxxxxxxxxxxx mailing list and make detailed comments
Still off topic, but perhaps a BGP feed from Cymru or similar to block IP
addresses on the list?