Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.txt
Dean Anderson <dean@av8.com> Wed, 12 December 2007 17:07 UTC
Return-path: <dnsop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J2V3j-0007y2-Qx; Wed, 12 Dec 2007 12:07:47 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J2V3i-0007xx-On for dnsop@ietf.org; Wed, 12 Dec 2007 12:07:46 -0500
Received: from cirrus.av8.net ([130.105.36.66]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1J2V3h-0002iQ-R2 for dnsop@ietf.org; Wed, 12 Dec 2007 12:07:46 -0500
Received: from [130.105.12.10] ([130.105.12.10]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id lBCH7io4005852 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 12 Dec 2007 12:07:44 -0500
Date: Wed, 12 Dec 2007 12:07:43 -0500
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@citation2.av8.net
To: Matt Larson <mlarson@verisign.com>
Subject: Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.txt
In-Reply-To: <20071210153238.GA435@dul1mcmlarson-l1.verisignlabs.com>
Message-ID: <Pine.LNX.4.44.0712121159380.19981-100000@citation2.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9
Cc: dnsop@ietf.org
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Errors-To: dnsop-bounces@ietf.org
On Mon, 10 Dec 2007, Matt Larson wrote: > Much against my better judgement, I'm replying to an author who > repeatedly shows himself incorrigible. But lest his continued > repetition of a false claim--that authority servers can be used to > mount as large an attack as open servers--begin to give it an air of > truth, I'd like to point out: We have been over this before. The size of an attack depends only on the size of the botnet sending queries and the bandwidth available to the server responding. Authority servers send the exact same size packet as do recursive servers. Therefore, the exact same attack can be mounted with authority servers. > Can you point us to even one 4Kb response from an authoritative > server? This is a frivolous assertion. _Any_ EDNSO-capable authority server can be legitimately configured to provide an 8kb response. Some authority servers are known to provide quite large SPF responses. The exact list of authority servers that currently provide large responses is not necesseary to prove my assertions. Furthermore, once root DNS servers start including IPV6 responses, their responses will be quite large. Other authorities will also have much larger responses. > P.S. For you or anyone else who'd like to recall the details of the > open-resolver based DDoS attacks from early 2006, my colleagues > prepared an excellent (and frightening) presentation on them: > > http://www.nanog.org/mtg-0606/scalzo.html -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop
- [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-ar… Internet-Drafts
- [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.t… Edward Lewis
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Matt Larson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Edward Lewis
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Joe Abley
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Peter Koch
- Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-… Dean Anderson
- [DNSOP] Re: draft-ietf-dnsop-reflectors-are-evil-… Stephane Bortzmeyer
- Re: [DNSOP] Re: draft-ietf-dnsop-reflectors-are-e… Dean Anderson
- Re: [DNSOP] Re: draft-ietf-dnsop-reflectors-are-e… Edward Lewis
- [DNSOP] Recursors are no longer evil? (Was: I-D A… Stephane Bortzmeyer