Open Resolver Problems
Alain Hebert
ahebert at pubnix.net
Mon Mar 25 17:34:26 UTC 2013
Hi,
Well...
On 03/25/13 12:51, Nick Hilliard wrote:
> On 25/03/2013 16:35, Alain Hebert wrote:
>> That might be just me, but I find those peers allowing their
>> customers to spoof source IP addresses more at fault.
> that is equally stupid and bad.
In my eyes, those peers are the source of it.
One can justify Open Relay and the lag into moving into not being an
attack vector... while the case for allowing IP spoofing is a tad
harder to justify.
>
>> PS: Some form of adaptive rate limitation works for it btw =D
> no, it doesn't. In order to ensure that your resolver clients are serviced
> properly, you need to keep the DNS query rate high enough that if someone
> has a large bcp38-enabled botnet, they can trash the hell out of whoever
> they want.
We all need to be more flexible and actually work toward fixing both
end of the issue.
>
> The best solution is to disable open recursion completely, and police your
> clients regularly.
>
> Nick
I just intervene on one of today's DNS Amp... which is going to many
targets mind you... on a client with a NT4.0 Server and another with
FreeBSD 5.1 =D
( You can say bye bye to that NT4.0 client revenue :( )
Now about some of "those" peers start enforcing some form of source
IP rules...
PS: The Open Relay situation is easy to fix for a subscriber type
corp (like say a Cable provider)... and less for smaller outfit
providing all sort of IT services.
-----
Alain Hebert ahebert at pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
More information about the NANOG
mailing list