[161692] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Joe Abley)
Mon Mar 25 12:45:47 2013
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <51507CCA.60901@pubnix.net>
Date: Mon, 25 Mar 2013 12:45:40 -0400
To: ahebert@pubnix.net
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2013-03-25, at 12:35, Alain Hebert <ahebert@pubnix.net> wrote:
> Well,
>=20
> Why would you only go after them?
>=20
> Easier target to mitigate the problem?
>=20
> That might be just me, but I find those peers allowing their
> customers to spoof source IP addresses more at fault.
>=20
> PS: Some form of adaptive rate limitation works for it btw =3DD
DNS servers (recursive and authoritative-only) are the low-hanging fruit =
du jour. I agree that there are many other effective amplifiers, and =
that even maximum DNS hygiene will not make the wider problem go away.
A quick note on your final comment, though: whilst adaptive response =
rate limiting (so-called RRL) is fast developing into an effective =
mitigation for reflection attacks against authority-only servers, there =
is far less experience with traffic patterns or the effects of =
rate-limiting (using RRL or anything else) on recursive servers.
The best advice for operation of recursive servers remains "restrict =
access to legitimate clients", not "apply rate-limiting".
Joe
