|Bracing against the wind|
Monday, January 11, 2010
The first is that it's easy to spoof UDP packets because consumer and commercial provider routers (botnet sources) don't filter inbound packets based on the list of expected subnets for that interface. Sounds confusing?
How about this: Anyone can easily fake the IP address they are coming from and their ISP won't notice because they are lazy about configuring things.
Routing involves looking at packets and sending them places. Safe routing ASLO involves looking at source addresses and refusing to accept them if they come from somewhere unexpected. After all, how much harder is it to do 2 lookups in 2 dynamic tables? Only twice as hard. But companies are lazy, and only do 1. Saving them very little money, but costing the world in reliability.
There was a class-action lawsuit that charged it was CISCO's responsibility to provide this by default (ddos-ca.org). The suit was dropped because of related concessions and developments by Microsoft. But CISCO/Linksys/Netgear failed to respond - and they still have failed. Their devices will all, by default, faithfully route spoofed botnet packets all day long - and so will most major ISP's with high end routers.
Tell me, is that ENOM's fault? No. It's the people who route spoofed packets fault - both router vendors and ISP's.
But the second is that ENOM fails to hand out DNS servers correctly. For 5 million domains, they should hand out about 100 ip's in groups of 5 IP's per user. Also, the servers should be "lots of inexepnsive" dns servers, not "a few big servers", which are an easy target.
Please read this for more information on properly distributing risk.
[View/Post Comments] [Digg] [Del.icio.us] [Stumble]
| Bloghop: | Blogarama | Technorati | Blogwise