Hacker News new | past | comments | ask | show | jobs | submit login

At some point I'm hoping the full technical story about how the attack morphed from our infrastructure to Internet infrastructure can be told.

See poorly configured DNS servers and ISP's failing to configure their networks properly - so traffic with a source address which is not part of your allocated IP block is not allowed to leave your network. It is not that hard!

The Internet Infrastructure is working as designed.

Ref:

http://en.wikipedia.org/wiki/Ingress_filtering

http://tools.ietf.org/html/bcp38

Also:

If you run a DNS server - it is your responsibility to maintain and protect it so that it cannot be used to attack others, and by doing that you are helping the 'Internet infrastructure' remain intact as designed. By not doing this you are helping the 'attackers'




Ingress Filtering is a rather vague concept. The actual application of blocking spoofed traffic is known as unicast reverse path forwarding.

http://en.wikipedia.org/wiki/Reverse_path_forwarding

http://tools.ietf.org/html/rfc3704


Thanks - that RFC seems to sum it up: rfc3704

   BCP 38, RFC 2827, is designed to limit the impact of distributed
   denial of service attacks, by denying traffic with spoofed addresses
   access to the network,


> See poorly configured DNS servers and ISP's failing to configure their networks properly - so traffic with a source address which is not part of your allocated IP block is not allowed to leave your network. It is not that hard!

It may not be that hard to set things up this way, but very few ISPs configure their network with this restriction.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: