[Sysadmins] Eircom DNS woes...

David Malone dwmalone at maths.tcd.ie
Wed Jul 15 09:49:00 IST 2009


On Wed, Jul 15, 2009 at 09:09:23AM +0100, Colm MacC?rthaigh wrote:
> It can, a little. For example, let's say that www.rte.ie is being
> spoofed as part of the attack. The DDoS style cache poisoning
> mechanisms require the attackers to spoof answers either from the root
> nameservers, the IE nameservers, or the RTE nameservers. Since Eircom
> and RTE both peer at INEX, using strict RPF might offer some
> protection against that one. Many of the IE nameservers are reachable
> that way too, and one of the root servers. So that helps.

Presumeably, if you're doing one of these DDoS chache poisioning
things, you probably go to the trouble of spoofing all of the root
servers, all of the IE servers and all of the RTE servers. They
also may have multiple vantage points to spoof from (possibly even
within the organisations hosting these servers, particularly if
they are using bots). So, I guess it would buy you time, but probably
wouldn't prevent the attack.

(I think I know how to make the attack infeasible with IPv6, but
haven't had a chance to code anything up yet.)

	David.



More information about the Sysadmins mailing list