[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS Server DoS Attacks

To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Subject: Re: DNS Server DoS Attacks
From: "John S. Quarterman" <jsq@matrix.net>
Date: Mon, 25 Nov 2002 11:42:37 -0600
Cc: "'John S. Quarterman'" <jsq@matrix.net>, namedroppers@ops.ietf.org
In-reply-to: Your message of "Mon, 25 Nov 2002 09:27:45 PST." <CE541259607DE94CA2A23816FB49F4A310FEC9@vhqpostal6.verisign.com>

Phill,

> 	I assert that unless you know for certain that the measurements
> are not contaminated in the manner hypothesised that you would be
> operating on speculation by accepting them at face value.
> 
> 	The onus of proof is generally held to be on the observation.

I'm having a little trouble with this logic.  You made two speculations,
with no evidence, and now you wish to shift the burden of proof for
those speculations to someone else?

> 	The only exception being cases like holocaust denial, moon
> landing hoax conspiracy theories and claims that OJ was innocent where
> the objections to the evidence require a vast number of other
> assumptions to be made.
> 
> 	The figures you give, 3 servers turned off ICMP do not match the
> measurements reported in the press (9 servers down) or my reading of the
> measurement sites at the time. Ergo it appears that either more sites
> turned off ICMP than you report

I have data showing regular ping responses from the other 10 DNS roots
during that period, as well as regular ping attempts to the 3 that stopped
responding to ping, plus direct correspondence with the operators of those 3.

> or some network operations decision or
> network related effect, probably due to congenstion may have occured.

> 	Of course there may be yet another reason.

Indeed.  One could speculate any number of potential causes for any
effect.  The burden of proof would be on the person so speculating.
If you have concrete evidence for your speculations, please cite it;
otherwise, we might as well move on.

> 		Phill

-jsq

> > -----Original Message-----
> > From: John S. Quarterman [mailto:jsq@matrix.net]
> > Sent: Monday, November 25, 2002 12:13 PM
> > To: Hallam-Baker, Phillip
> > Cc: John S. Quarterman; 'D. J. Bernstein'; namedroppers@ops.ietf.org
> > Subject: Re: DNS Server DoS Attacks 
> > 
> > 
> > >I thought that was the most likely situation.
> > >
> > >There may also have been measurement problems due to ISPs turning off
> > >transport of ICMP pings and due to ICMP packets being preferentially
> > >dropped which would explain some of the measurements.
> > 
> > Do you have evidence for either of those things?
> > If not, it would be best not to base architecture on speculation.
> > 
> > -jsq
> > 
> > >> -----Original Message-----
> > >> From: John S. Quarterman [mailto:jsq@matrix.net]
> > >> Sent: Monday, November 25, 2002 11:37 AM
> > >> To: Hallam-Baker, Phillip
> > >> Cc: John S. Quarterman; 'D. J. Bernstein'; 
> > namedroppers@ops.ietf.org
> > >> Subject: Re: DNS Server DoS Attacks 
> > >> 
> > >> 
> > >> > Second it would be useful to know which systems (if any) 
> > >> went down. To
> > >> > date I know the identity of 5 of the 4 servers that stayed 
> > >> up and do not
> > >> > know the identity of a single machine that went down.
> > >> 
> > >> All 13 root DNS servers were up during the DDoS attack of 
> > >> 22-23 October 2002.
> > >> 3 of them turned off ICMP ECHO responses, but were responding 
> > >> to DNS requests.
> > >> There were side effects on Internet performance elsewhere.
> > >> 
> > >> -jsq
> > 
> 

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- RE: DNS Server DoS Attacks
  - From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

Prev by Date: RE: DNS Server DoS Attacks
Next by Date: Re: axfr-clarify on the move again
Previous by thread: RE: DNS Server DoS Attacks
Next by thread: RE: DNS Server DoS Attacks
Index(es):
- Date
- Thread