nanog mailing list archives

Re: Open Resolver Problems

From: Alain Hebert <ahebert () pubnix net>
Date: Mon, 25 Mar 2013 13:34:26 -0400

    Hi,

    Well...


 On 03/25/13 12:51, Nick Hilliard wrote:

On 25/03/2013 16:35, Alain Hebert wrote:

    That might be just me, but I find those peers allowing their
customers to spoof source IP addresses more at fault.

that is equally stupid and bad.


    In my eyes, those peers are the source of it.

    One can justify Open Relay and the lag into moving into not being an
attack vector... while the  case for allowing IP spoofing is a tad
harder to justify.

    PS: Some form of adaptive rate limitation works for it btw =D

no, it doesn't.  In order to ensure that your resolver clients are serviced
properly, you need to keep the DNS query rate high enough that if someone
has a large bcp38-enabled botnet, they can trash the hell out of whoever
they want.


    We all need to be more flexible and actually work toward fixing both
end of the issue.


The best solution is to disable open recursion completely, and police your
clients regularly.

Nick


    I just intervene on one of today's DNS Amp... which is going to many
targets mind you... on a client with a NT4.0 Server and another with
FreeBSD 5.1 =D
    ( You can say bye bye to that NT4.0 client revenue :( )

    Now about some of "those" peers start enforcing some form of source
IP rules...

    PS: The Open Relay situation is easy to fix for a subscriber type
corp (like say a Cable provider)... and less for smaller outfit
providing all sort of IT services.

-----
Alain Hebert                                ahebert () pubnix net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems Scott Noel-Hemming (Mar 29)
    - Re: Open Resolver Problems Mattias Ahnberg (Mar 25)
    - Re: Open Resolver Problems Jared Mauch (Mar 25)
    - Re: Open Resolver Problems Nick Hilliard (Mar 25)
    - Re: Open Resolver Problems Alain Hebert (Mar 25)
    - Re: Open Resolver Problems Joe Abley (Mar 25)
    - Re: Open Resolver Problems Måns Nilsson (Mar 25)
    - Re: Open Resolver Problems Joe Abley (Mar 25)
    - Re: Open Resolver Problems Mikael Abrahamsson (Mar 25)
    - Re: Open Resolver Problems Nick Hilliard (Mar 25)
    - Re: Open Resolver Problems Alain Hebert (Mar 25)
    - Re: Open Resolver Problems William Herrin (Mar 25)
    - Re: Open Resolver Problems Nick Hilliard (Mar 25)
    - Re: Open Resolver Problems William Herrin (Mar 25)
    - Re: Open Resolver Problems Jay Ashworth (Mar 26)
    - Re: Open Resolver Problems Mikael Abrahamsson (Mar 26)
    - Re: Open Resolver Problems Jared Mauch (Mar 25)
    - Re: Open Resolver Problems Jon Lewis (Mar 26)
    - Re: Open Resolver Problems Jared Mauch (Mar 26)
- Re: Open Resolver Problems Harry Hoffman (Mar 25)
  - Re: Open Resolver Problems Jared Mauch (Mar 25)

(Thread continues...)