Markus Stumpf wrote:
On Thu, Sep 25, 2003 at 01:08:44PM -0400, Chris Lewis wrote:
1) What's to prevent the DDOS attackers from DDOS'ing the DNS servers
serving up the ranges they're spamming from? I sense yet another
business opportunity for the DDOSers - "pay us to blow the brains out of
your ISP's DNS servers!"
What do they gain?
If the defaults are correctly adjusted, none of the emails will go
through, because no answer = don't accept.
Anything that defaults to "email blocked if DNS doesn't give me an
answer" is, um, way too dangerous.
Ie: You could kill my inbound and outbound mail altogether by DDOS'ing
_my_ DNS servers. Ouch.
Even in the impossible event that _everyone_ complied with such a
standard, having your email abruptly stop working altogether if your DNS
fails is not something I want to propose to the PTBs.
Thus, it would have to default to "let it through", and DDOS'ing the
ISP's (or recipient's) DNS servers will be too attractive an idea to
pass up.
We either have to come up with a proposal to make the feature
DDOS-proof, _or_, find some way to stop DDOS's in general (technically
or bomb-from-orbit). I think stopping DDOS's is a vastly preferable
approach than bandaiding individual protocols.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg