|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: how to protect name servers against cache corruption
> The same could be said of IP. If you forge packets and ICMP or UDP attack > MAE's) you can do it with impunity and effectively knock entire ISP's off > the internet. I'm unaware of any attacks occurring now that do not leverage superior bandwidth (ie, ping flooding from a DS3 a DS1 circuit) that are not addressed in some manner at an operating system or user level. > "And how do I configure my router for that?" Use access-lists to prevent > your networks from accepting spoofed packets from your customers, or > insist that they use such filters on their routers. This is not a valid answer. People who think that the entire Internet can be globally configured to prevent packet forgery from occurring in the first place are deluding themselves, and I think we, as Internet professionals with an understanding of how these protocols work, understand that. Unfortunately, a bizarre faction of people have decided that the best way to address problems that are made difficult to repair by the design of legacy software is to deny that they A.) exist or B.) are fixeable. "Wait for IPsec" and "Wait for DNSsec" are, in my opinion, inadequate answers. "Prevent packet forgery from happening" seems ludicrous. Apologies for the quantity of opinion here. Thanks for writing. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [[email protected]] ---------------- "If you're so special, why aren't you dead?"
|