Open Resolver Problems

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2013-03-25, at 12:35, Alain Hebert <ahebert at pubnix.net> wrote:

>    Well,
> 
>    Why would you only go after them?
> 
>    Easier target to mitigate the problem?
> 
>    That might be just me, but I find those peers allowing their
> customers to spoof source IP addresses more at fault.
> 
>    PS: Some form of adaptive rate limitation works for it btw =D

DNS servers (recursive and authoritative-only) are the low-hanging fruit du jour. I agree that there are many other effective amplifiers, and that even maximum DNS hygiene will not make the wider problem go away.

A quick note on your final comment, though: whilst adaptive response rate limiting (so-called RRL) is fast developing into an effective mitigation for reflection attacks against authority-only servers, there is far less experience with traffic patterns or the effects of rate-limiting (using RRL or anything else) on recursive servers.

The best advice for operation of recursive servers remains "restrict access to legitimate clients", not "apply rate-limiting".


Joe

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]