|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS Hijacking by Cox
On Mon, 23 Jul 2007, Joe Greco wrote: > > > Quoting Joe Greco <[email protected]>: > > The procedures and > > paths of action you wish the largers ISPs to take are just not > > practical. > > No, they're just a little more difficult. I realize that it's more > complex to inject a blackhole host route into the IGP of your average > large ISP than it is to wreak a little configuration havoc on some > recursers. That doesn't make the easier solution correct. > actually.... this really depends upon the management/admin responsibilities in question, and on the level of damange you are willing to wreak. a simple blackhole route (generally not in the IGP, but iBGP though that does depend upon the local preferences of the operator I suppose) is much easier for some folks to do, it has the side effect of having large blast radius on vhost-type ip addresses. a 'simple' dns redirection is 'easier' if you are the dns-admin, often the dns-admin and routing-admin are not in the same place in the company and they don't 'trust' each other for these sorts of things. Doing the work in the DNS server does have the nice side effect that you can block the domain regardless of ip changes and without the problem associated with vhost-type ip addresses. With all of the solutions proposed and possible there are risks, costs and benefits. Weighing those out and keeping in mind Cox (IN THIS EXAMPLE) has +5million users and will have to take a very low cost solution. So, backing up again.... given a set of options, and a set of risks with those options and keeping in mind that false positives will happen eventually (this clearly being a case of that) is this worth 35 messages to discuss a false positive? -Chris
|