[161961] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Fri Mar 29 08:06:53 2013
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Fri, 29 Mar 2013 12:06:36 +0000
In-Reply-To: <201303291158.r2TBw4jm087896@aurora.sol.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 29, 2013, at 6:58 PM, Joe Greco wrote:
> Really, I've spent a disappointing amount of time listening to the "but b=
ut but you can't DOOOOOOOOO that"=20
What they're really worried about is folks arbitrarily deciding to permanen=
tly mask out ANY queries altogether as a matter of policy, rather than eith=
er rate-limiting them or selectively filtering them during an actual attack=
, and only within the scope of the servers/records being abused for that pa=
rticular attack.
Many measures which are not only permissible but are often vitally necessar=
y in order to achieve partial service recovery during an attack can cause p=
rohibitive levels of brokenness when implemented as matters of permanently-=
enforced policy. Given the history of such overt stupidity as blocking TCP=
/53, disallowing UDP DNS packets larger than 512 bytes, blocking ICMP neces=
sary for PMTU-D, et. al., their concerns are not unreasonable.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
