[161822] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Jack Bates)
Wed Mar 27 10:46:45 2013
Date: Wed, 27 Mar 2013 09:46:10 -0500
From: Jack Bates <jbates@brightok.net>
To: William Herrin <bill@herrin.us>
In-Reply-To: <CAP-guGVmF1UMFw9c02_FgvKbuaSj7fH6ngNLOEby9MPd4Cb91g@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 3/27/2013 9:34 AM, William Herrin wrote:
> On Wed, Mar 27, 2013 at 10:00 AM, Jack Bates <jbates@brightok.net> wrote:
>>
>> Tracking the clients would be a huge dataset and be especially complicated
>> in clusters. They'd be better off at detecting actual attack vectors rather
>> than rate limiting.
> I count this among the several reasons I intend to wait until a
> solution has been accepted into the bind mainline.
>
>
You'll also find that it serves little purpose. The only 2 methods for
stopping DNS amplification to my knowledge are:
1) tcp
2) require all requests to pad out to maximum response
3) BCP38 (in spirit)
The first has latency, load, and connection limitations. It is just too
expensive.
The second would stop amplification, however, it will not stop botnets
using them in attempts to hide the bot nodes in a very effective manner.
It's also unlikely that we'd ever see it implemented.
The only effective fix is still BCP38 (in spirit).
Jack
