nanog mailing list archives
Re: Open Resolver Problems
From: Joe Greco <jgreco () ns sol net>
Date: Fri, 29 Mar 2013 07:20:48 -0500 (CDT)
On Mar 29, 2013, at 6:58 PM, Joe Greco wrote:Really, I've spent a disappointing amount of time listening to the "but b=ut but you can't DOOOOOOOOO that"=20 What they're really worried about is folks arbitrarily deciding to permanen= tly mask out ANY queries altogether as a matter of policy, rather than eith= er rate-limiting them or selectively filtering them during an actual attack= , and only within the scope of the servers/records being abused for that pa= rticular attack. Many measures which are not only permissible but are often vitally necessar= y in order to achieve partial service recovery during an attack can cause p= rohibitive levels of brokenness when implemented as matters of permanently-= enforced policy. Given the history of such overt stupidity as blocking TCP= /53, disallowing UDP DNS packets larger than 512 bytes, blocking ICMP neces= sary for PMTU-D, et. al., their concerns are not unreasonable.
There's a difference between "concerns" and bullheadedness. In the meantime, refusing to give admins tools to cope with an attack in a surgical-strike manner is basically just helping the attackers. As an administrator, I can cause brokenness in any number of clever, dumb, or accidental ways. However, it is also up to me to cause the network to work in the manner we need it to, and if I had a better understanding of our traffic than Vixie has, /which I do/, then I am in a better place to make intelligent decisions about what should and shouldn't be allowed and at what rates. In the meantime, all the "but but but THAT'LL BREAK THE INTARWEB" stuff, okay, great, so they don't want to supply tools that might break things. News flash, 300Gbps DNS attack underway. Not like THAT will break anything. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- Re: Open Resolver Problems, (continued)
- Re: Open Resolver Problems Jared Mauch (Mar 27)
- Re: Open Resolver Problems Joe Abley (Mar 27)
- Can we not just fix it? WAS:Re: Open Resolver Problems Michael DeMan (Mar 28)
- Re: Can we not just fix it? WAS:Re: Open Resolver Problems David Conrad (Mar 28)
- Re: Can we not just fix it? WAS:Re: Open Resolver Problems Saku Ytti (Mar 28)
- Re: Open Resolver Problems Ben Aitchison (Mar 28)
- Re: Open Resolver Problems Jimmy Hess (Mar 29)
- Re: Open Resolver Problems Mark Andrews (Mar 29)
- Re: Open Resolver Problems Joe Greco (Mar 29)
- Re: Open Resolver Problems Dobbins, Roland (Mar 29)
- Re: Open Resolver Problems Joe Greco (Mar 29)
- Re: Open Resolver Problems Doug Barton (Mar 29)
- Re: Open Resolver Problems Masataka Ohta (Mar 29)
- Re: Open Resolver Problems Jared Mauch (Mar 26)
- Re: Open Resolver Problems Valdis . Kletnieks (Mar 26)
- Re: Open Resolver Problems joel jaeggli (Mar 26)
- Re: Open Resolver Problems Jay Ashworth (Mar 26)
- Re: Open Resolver Problems Saku Ytti (Mar 26)
- Re: Open Resolver Problems Leo Bicknell (Mar 26)
- Re: Open Resolver Problems Scott Noel-Hemming (Mar 29)
- Re: Open Resolver Problems Mattias Ahnberg (Mar 25)