North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS Amplification Attacks

  • From: Florian Weimer
  • Date: Wed Mar 22 15:37:42 2006

* Peter Dambier:

>> This is not true.  There has been some questionable advice by a
>> regulatory body, though.  Most damage is done by ISPs which simply do
>> not adjust the filters to the moving target and run them as-is since
>> 2001 or so.  Null routes tend to filter a different customer after
>> such a long time.
> Here it is documented. Sorry it is in german only:

Yeah, sure, but your summary is misleading (convenient it's "german
only", is it?).  The actual damage was done by ISPs, that body only
gave questionable advice.  Afterwards, most ISPs simply didn't care,
in the sense that they didn't maintain the filters.

> Several sites where censored and could only escape by changeing
> providers.

It's more interesting if you can't do this.  A null route on a router
in Frankfurt sometimes does wonders.  It's also fairly effective to
null-route what is logically a downstream customer, even if it's
outside your network (by a few AS hops) and somewhere in Asia.

Such things happen all the time, and not just for DDoS prevention
purposes or malware containment.  Some of the filters are clearly
targeted at specific content which is deemed unsuitable for
consumption by Germans.  Such cases are not well-publicized.  Often,
you can't tell them from genuine routing problems (and if you've got
insider information, you typically can't publish).  I don't think this
is just a German or Chinese problem, by the way.

> Nevertheless I could see the site "http://www.enyo/";
> after adding " www.enyo enyo" to my /etc/hosts
> Maybe even could send you emails?

No, because I don't actually use ENYO. 8->