Open Resolver Problems

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Mar 25, 2013 at 2:09 PM, Nick Hilliard <nick at foobar.org> wrote:
> On 25/03/2013 17:51, William Herrin wrote:
>> Hassling the folks who run open resolvers further victimizes the
>> innocent.
>
> running open resolvers will continue to be a major problem as a DDoS
> platform on the Internet until everyone implements BCP38.  When everyone
> has implemented ingress filtering, we can have a beer and agree that
> running open resolvers is less harmful.  Until then, though, they're a menace.

Nick,

Running [unauthenticated UDP-based service du jour] will continue to
be a major problem as a DDoS platform on the Internet until everyone
implements BCP38.

That [unauthenticated UDP-based service du jour] should thus be
disallowed is an untenable position. We depend on [unauthenticated
UDP-based service du jour] for the correct operation of the Internet,
including such examples as authoritative DNS servers.

We've been down this path before where we try to tighten the belt on
everything we don't absolutely critically need for the sake of
allowing the root problem to keep eking by. It ain't pretty and
ultimately it isn't successful either: we merely create an arms race
where the bad actors converge on the services we -can't- shut down.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]