Re: Great Suggestion for the DNS problem...?

* Matt F · * Mon Jul 28 22:44:24 2008

What would the ip-blocking BGP feed accomplish? Spoofed source
addresses are a staple of the DNS cache poisoning attack. 
Worst case scenario, you've opened yourself up to a new avenue of attack
where you're nameservers are receiving spoofed packets intended to
trigger a blackhole filter, blocking communication between your network
and the legitimate owner of the forged ip address.
Michael Smith wrote:

Hello All:

From: Paul Vixie <[email protected]>
Date: Tue, 29 Jul 2008 01:24:43 +0000
To: Nanog <[email protected]>
Subject: Re: Great Suggestion for the DNS problem...?
[email protected] ("Jay R. Ashworth") writes:

[ unthreaded to encourage discussion ]
On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote:

Nameservers could incorporate poison detection...
Listen on 200 random fake ports (in addition to the true query ports);
if a response ever arrives at a fake port, then it must be an attack,
read the "identified" attack packet, log the attack event, mark the
RRs mentioned in the packet as "poison being attempted" for 6 hours;
for such domains always request and collect _two_ good responses
(instead of one), with a 60 second timeout, before caching a lookup.
The attacker must now guess nearly 64-bits in a short amount of time,

to be successful. Once a good lookup is received, discard the normal

TTL and hold the good answer cached and immutable, for 6 hours (_then_

start decreasing the TTL normally).

Is there any reason which I'm too far down the food chain to see why

that's not a fantastic idea? Or at least, something inspired by it?

at first glance, this is brilliant, though with some unimportant nits.
however, since it is off-topic for nanog, i'm going to forward it to

the [email protected] mailing list and make detailed comments

there.

--

Still off topic, but perhaps a BGP feed from Cymru or similar to block IP
addresses on the list?
Regards,
Mike