North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS attacks evolve
jgreco@xxxxxxxxxx (Joe Greco) writes: > I am very, very, very disheartened to be shown to be wrong. As if 8 days > wasn't bad enough, a concentrated attack has been shown to be effective in > 10 hours. See http://www.nytimes.com/2008/08/09/technology/09flaw.html that's what theory predicted. guessing a 30-or-so-bit number isn't "hard." > With modern data rates being what they are, I believe that this is still a > severe operational hazard, and would like to suggest a discussion of further > mitigation strategies. > ... i have two gripes here. first, can we please NOT use the nanog@ mailing list as a workshop for discussing possible DNS spoofing mitigation strategies? namedroppers@xxxxxxxxxxxx already has a running gun battle on that topic, and dns-operations@xxxxxxxxxxxxxxx would be appropriate. but unless we're going to talk about deploying BCP38, which would be the mother of all mitigations for DNS spoofing attacks, it's offtopic on nanog@. second, please think carefully about the word "severe". any time someone can cheerfully hammer you at full-GigE speed for 10 hours, you've got some trouble, and you'll need to monitor for those troubles. 11 seconds of 10MBit/sec fit my definition of "severe". 10 hours at 1000MBit/sec doesn't. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.