IETF Logo Mail Archive

Re: [Crisp] IRIS-LWZ and security issues due to spoofed sources

Andrew Newton <andy@hxr.us> Mon, 27 February 2006 14:46 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FDjde-0006jc-N2; Mon, 27 Feb 2006 09:46:14 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FDjdd-0006jU-3B for crisp@ietf.org; Mon, 27 Feb 2006 09:46:13 -0500
Received: from zeke.toscano.org ([69.31.8.124] helo=zeke.ecotroph.net) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FDjdZ-0004ud-Oq for crisp@ietf.org; Mon, 27 Feb 2006 09:46:13 -0500
Received: from [10.131.244.248] ([::ffff:216.168.239.87]) (AUTH: PLAIN anewton, SSL: TLSv1/SSLv3,128bits,RC4-SHA) by zeke.ecotroph.net with esmtp; Mon, 27 Feb 2006 09:40:23 -0500 id 01588071.44030F57.00003763
In-Reply-To: <4402F9BA.6050903@ripe.net>
References: <Pine.LNX.4.64.0602270503580.9385@cwhois1.completewhois.com> <Pine.LNX.4.64.0602270532250.9385@cwhois1.completewhois.com> <4402F9BA.6050903@ripe.net>
Mime-Version: 1.0 (Apple Message framework v746.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <40753247-0679-43EA-AF0D-2C5A35F5144A@hxr.us>
Content-Transfer-Encoding: 7bit
From: Andrew Newton <andy@hxr.us>
Subject: Re: [Crisp] IRIS-LWZ and security issues due to spoofed sources
Date: Mon, 27 Feb 2006 09:41:08 -0500
To: Shane Kerr <shane@ripe.net>
X-Mailer: Apple Mail (2.746.2)
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464
Cc: CRISP WG <crisp@ietf.org>, William Leibzon <william@completewhois.com>
X-BeenThere: crisp@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Cross Registry Information Service Protocol <crisp.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/crisp>, <mailto:crisp-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:crisp@ietf.org>
List-Help: <mailto:crisp-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/crisp>, <mailto:crisp-request@ietf.org?subject=subscribe>
Errors-To: crisp-bounces@ietf.org

On Feb 27, 2006, at 8:08 AM, Shane Kerr wrote:

> Since this is a general UDP problem, perhaps it makes sense to  
> point to
> another document for this problem. Is there such a thing?

That was gonna be my first question:  just how do they mitigate this  
with DNS?  Or DHCP?  Or anything else that uses UDP?  It seems BCP 78  
is applicable to this.

Also, I was under the assumption that an amplification attack  
resulted in an order of magnitude higher response.  In other words,  
if I send a 100 byte packet, the amplification is in hundreds of  
times higher bytes and usually across multiple packets.  Perhaps if  
we could get a pointer to the classic attack scenario that would help.

According to this:
http://www.lancs.ac.uk/postgrad/pissias/netsec/ddos/index.html
There really are two types of attacks: reflection attacks and  
amplification attacks.  As any interesting as reflection attacks are,  
they don't seem to be that much more gain than a direct attack.  The  
amplification attack usually yields a 300 to 400 times magnification,  
which I do not think IRIS would do.

More reading from CERT:
http://www.cert.org/incident_notes/IN-2000-04.html
The problem, it would seem, in the DNS world is a recursive name  
server configured to answer for anybody.  I don't think this is  
applicable to IRIS.

-andy

_______________________________________________
Crisp mailing list
Crisp@ietf.org
https://www1.ietf.org/mailman/listinfo/crisp

v2.23.0 | Report a Bug | By Email