[c-nsp] rate limit dns

Dobbins, Roland rdobbins at arbor.net
Sun Dec 29 08:01:29 EST 2013 

On Dec 29, 2013, at 7:47 PM, Mark Tinka <mark.tinka at seacom.mu> wrote:

> The majority of (phishing) attacks have nothing to do with the network, with the exception of having the network transport those packets to the user's computing device.

Yes, but those that do, which replace the user-configured DNS settings with DNS settings of the attacker's choice, not to mention the possibility of cache-poisoning of poorly-maintained random DNS recursors on the Internet, would apply.

Also, I haven't even touched on availability - the whole open DNS recursor problem, and various remedies for it, which can and should include default policies for consumer broadband network operators which include anti-spoofing as close to the customer as possible as well as only allowing users who request it the ability to send DNS queries to DNS servers elsewhere on the Internet.

> Do they now sue Apple or Samsung for not detecting the  spurious e-mail? Do they sue Google for not including  protection within Android? Do they sue Dell for manufacturing and selling bundled hardware/software without adequate protection? Do they sue the regulator for not enacting (and enforcing) policy that protects the end user?  Do they sue Cisco, Juniper, ALU, Huawei, e.t.c., for not providing protection in their network-based devices? 

My main concern in this particular discussion is with attacks which depend upon perturbing the intended destinations of specific traffic, because that's the primary risk to network operators.

Yes, I believe all the examples you cite are coming, although the network infrastructure vendors can point to features which they do in fact provide, but which some operators do not enable, out of ignorance, apathy, or a desire to avoid opex.  

There's simply too much money and too much advantage for politicians/regulators for the present state of affairs to continue much longer.  The imposiiton of sales taxes on goods/services procured via the Internet are a good indicator of the general trend.

> If we start down this path, at what point are we satisfied that the customer is reasonably protected 
> from all possible attack vectors?

Network operators should concern themselves with network traffic destination manipulation in the network infrastructure and with ancillary supporting services they offer which affect same - namely, DNS - and with availability.

> How do customers and operators delineate lines between which responsibility lies in view of those attack vectors?

Assets and services under the control of and offered by network operators are quite clearly the responsibility of network operators.   That's my primary concern; the software developers/vendors are another matter, entirely.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20131229/dcd2a0b7/attachment.sig>

More information about the cisco-nsp mailing list