[153580] in North American Network Operators' Group
Re: Open DNS Resolver reflection attack Mitigation
daemon@ATHENA.MIT.EDU (Stephane Bortzmeyer)
Fri Jun 8 16:13:46 2012
Date: Fri, 8 Jun 2012 22:11:27 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Owen DeLong <owen@delong.com>
In-Reply-To: <9EAC3D5B-BAFA-437F-94E9-673E67806F3A@delong.com>
Cc: North American Networking and Offtopic Gripes List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Jun 08, 2012 at 12:56:23PM -0700,
Owen DeLong <owen@delong.com> wrote
a message of 28 lines which said:
> IPv6 should be a simple matter of putting the same line in your
> ip6tables file.
My experience with attack mitigation is that tools do not always work
as advertised and sometimes do bad things (such as crashing the
machine). So, I agree, it "should be a simple matter" but I prefer to
test first.
[For instance, my IPv4 rule required a maximum of 2^28 buckets in
memory while an IPv6 rule with --hashlimit-srcmask 64 would require a
maximum of 2^64 buckets... What will be the effect on the system
memory?]
