[Atlas-anchors-pilot] Services on Atlas anchors as measurement targets
john
jbond at ripe.net
Fri Mar 8 12:25:49 CET 2013
On 3/8/13 12:14 PM, Stephane Bortzmeyer wrote:
> On Fri, Mar 08, 2013 at 12:01:45PM +0100,
> john <jbond at ripe.net> wrote
> a message of 61 lines which said:
>
>> As a looking glass can also be viewed as an open resolver.
>
> Not at all. The big problem with DNS open resolvers is that they run
> over UDP so there is zero guarantee the source IP address is genuine,
> allowing reflection attacks (RFC 5358). Using HTTP, therefore TCP,
> makes the DNS looking glass immune to these problems (RFC 5961).
Of course, i will blame this Faux pas on the fact that i hadn't finished
my coffee :)
>
> Another solution to the specific problem of reflection attacks would
> be to have an open resolver allowing only TCP (AFAIK, it is not
> possible with existing server software, but you can always filter out
> UDP/53 inbound).
Another option worth exploring however this would require an ip address.
Perhaps we could start thinking about a Looking glass server, the
following services come to mind
* DNS looking glass
* BGP Looking glass (if there are peering options at the anchor location)
* something like www.downforeveryoneorjustme.com
However it does feel like we are reinventing functionality that already
exists in atlas.
Regards
John
More information about the Atlas-anchors-pilot
mailing list