|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS was Re: Internet Vulnerabilities
SW> Date: Fri, 05 Jul 2002 17:50:24 +0100 SW> From: Simon Waters SW> I think the gtld-servers.net are the target for a globally SW> disruptive and prolonged DDoS. Servers doing reverse lookup SW> might also be targets in more specialised attacks, as their SW> disruption would be continent wide rather than merely country SW> wide (like most forward look ups). Maybe I'm nuts, but I also think the gTLD servers would be prime targets. SW> Paul obviously has the experience to tell me if I'm crazy, SW> but I would guess the "." zone probably isn't that large in SW> absolute terms, so large ISPs (NANOG members ?) could arrange SW> for their recursive servers to act as private secondaries of SW> ".", thus eliminating the dependence on the root servers SW> entirely for a large chunks of the Internet user base. Not only not that large, but not that dynamic. Personally, I think it would be interesting to allow providers to stealth slave (and perhaps anycast secondary) as much or as little of the DNS tree as they wish. SW> The single limiting factor on implementing such an approach SW> would be DNS know-how, as whilst it is probably a two line SW> change for most DNS servers to forward to their ISPs DNS SW> server (or zone transfer "."), many sites probably lack the SW> inhouse skills to make that change at short notice. Ignoring little providers, let's say that only the 10 largest ASNs anycast root and gTLD zones for their downstreams. I think the effect would be very significant. SW> In practical terms I'd be more worried about smaller attacks SW> against specific CC domains. Why stop with anycasting the roots? If one wished to mirror gTLD zones, fine. I argue that provider disk/bandwidth/clue are the limiting factors. If a mirror were "0wn3d", it would affect 1) downstreams in the case of a "private anycast", or 2) multiple parties on "public anycast" boxen. Hopefully anyone with enough bandwidth to offer public anycast would have enough clue to operate DNS responsibly. Hopefully anyone with enough clue to offer _any_ anycast (i.e., to think outside the standard BGP box) would be clueful enough to operate DNS responsibly. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist[email protected]> To: [email protected] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[email protected]>, or you are likely to be blocked.
|