While it’s tempting to blame open resolvers for the SpamHaus attack and end the discussion, that paints an inaccurate picture. Open resolvers make for an easy target, but they can be managed properly — as, for example, Google does — and made to comply with the best practices set forth in the IETF’s Domain Name System Operations Working Group paper, “Preventing Use of Recursive Nameservers in Reflector Attacks.” That said, Domain Name Servers provide an ideal system for the type of attack directed at SpamHaus. That’s because the accepted paradigm is that when a query comes in to a Domain Name Server, it’s responded to in good faith, according to the query’s stated point of origin. After all, a good citizen would give directions to someone who asked for them.
↧