[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 16/05/13 12:58, Martijn Grooten wrote: > > I don't think it makes you more likely to be hacked. If the DNS recursive resolver you use answer queries for remote machines it makes it (and thus you) more vulnerable to DNS poisoning type attacks. I don't expect DNS poisoning attacks due to DNS server vulnerabilities, or weaknesses in DNS resolution process to make a big comeback, but it would be a foolish man who said "never again". Also if an attack against a recursive resolver requires malformed packets to be sent, then this attack would likely not be possible for a remote attacker if the resolver is not open. This paper is pretty comprehensive on source address spoofing for its time. http://rbeverly.net/research/papers/spoofer-imc09.ps Beverly has also been involved in work on mitigation of source address spoofing, that can be done if a small percentage of core routers deploy algorithms that allow them to establish if a packet has likely been spoofed. This approach works in simulation. The issue is, as ever, that the costs (of mitigation or fixing) typically fall on someone other than the victim (or ideally on the attacker!), indeed the costs of mitigation likely fall on networks some of whom may even profit indirectly from the attacks (if they charge per bit carried, rather than for connectivity alone). I don't think any of them intend to profit, and most charging algorithms at this level exclude extreme events, but they certainly are unlikely to benefit much directly from preventing source address spoofing. There are some notable exceptions, Akamai have been active in DDoS mitigation research of various sorts. Presumably because as a CDN both the cost of, and responsibility for defeating, DDoS are shifted to themselves. Presumably other content delivery networks are in a similar position. Arguably a case for government intervention to prevent market failure. IPv6 will hopefully address the issue, although I believe it introduces its own issues because suddenly there are a lot more IP addresses to deal with. Not something I know enough about. A cheaper but criminal approach would be to hire DDoS services and use them to attack large network providers websites and other services, to motivate them to deploy such mitigation in their own networks. Thus aligning the interests of the victim and the organizations which can fix the issue. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq