jgreco@ns.sol.net (Joe Greco) writes:
I am very, very, very disheartened to be shown to be wrong. As if 8 days wasn't bad enough, a concentrated attack has been shown to be effective in 10 hours. See http://www.nytimes.com/2008/08/09/technology/09flaw.html
that's what theory predicted. guessing a 30-or-so-bit number isn't "hard."
With modern data rates being what they are, I believe that this is still a severe operational hazard, and would like to suggest a discussion of further mitigation strategies. ...
i have two gripes here. first, can we please NOT use the nanog@ mailing list as a workshop for discussing possible DNS spoofing mitigation strategies? namedroppers@ops.ietf.org already has a running gun battle on that topic, and dns-operations@lists.oarci.net would be appropriate. but unless we're going to talk about deploying BCP38, which would be the mother of all mitigations for DNS spoofing attacks, it's offtopic on nanog@. second, please think carefully about the word "severe". any time someone can cheerfully hammer you at full-GigE speed for 10 hours, you've got some trouble, and you'll need to monitor for those troubles. 11 seconds of 10MBit/sec fit my definition of "severe". 10 hours at 1000MBit/sec doesn't. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.