[Atlas-anchors-pilot] Services on Atlas anchors as measurement targets

• Previous message: [Atlas-anchors-pilot] Services on Atlas anchors as measurement targets
• Next message: [Atlas-anchors-pilot] Pilot Phase Two, and other news
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/8/13 12:14 PM, Stephane Bortzmeyer wrote:
> On Fri, Mar 08, 2013 at 12:01:45PM +0100,
>  john <jbond at ripe.net> wrote 
>  a message of 61 lines which said:
> 
>> As a looking glass can also be viewed as an open resolver.
> 
> Not at all. The big problem with DNS open resolvers is that they run
> over UDP so there is zero guarantee the source IP address is genuine,
> allowing reflection attacks (RFC 5358). Using HTTP, therefore TCP,
> makes the DNS looking glass immune to these problems (RFC 5961).
Of course, i will blame this Faux pas on the fact that i hadn't finished
my coffee :)
> 
> Another solution to the specific problem of reflection attacks would
> be to have an open resolver allowing only TCP (AFAIK, it is not
> possible with existing server software, but you can always filter out
> UDP/53 inbound).
Another option worth exploring however this would require an ip address.
 Perhaps we could start thinking about a Looking glass server, the
following services come to mind
	
	* DNS looking glass
	* BGP Looking glass (if there are peering options at the anchor location)
      	* something like www.downforeveryoneorjustme.com

However it does feel like we are reinventing functionality that already
exists in atlas.

Regards
John

• Previous message: [Atlas-anchors-pilot] Services on Atlas anchors as measurement targets
• Next message: [Atlas-anchors-pilot] Pilot Phase Two, and other news
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]