Open Resolver Problems

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Mar 29, 2013, at 6:58 PM, Joe Greco wrote:
> 
> > Really, I've spent a disappointing amount of time listening to the "but b=
> ut but you can't DOOOOOOOOO that"=20
> 
> What they're really worried about is folks arbitrarily deciding to permanen=
> tly mask out ANY queries altogether as a matter of policy, rather than eith=
> er rate-limiting them or selectively filtering them during an actual attack=
> , and only within the scope of the servers/records being abused for that pa=
> rticular attack.
> 
> Many measures which are not only permissible but are often vitally necessar=
> y in order to achieve partial service recovery during an attack can cause p=
> rohibitive levels of brokenness when implemented as matters of permanently-=
> enforced policy.  Given the history of such overt stupidity as blocking TCP=
> /53, disallowing UDP DNS packets larger than 512 bytes, blocking ICMP neces=
> sary for PMTU-D, et. al., their concerns are not unreasonable.

There's a difference between "concerns" and bullheadedness.

In the meantime, refusing to give admins tools to cope with an attack in
a surgical-strike manner is basically just helping the attackers.  As an
administrator, I can cause brokenness in any number of clever, dumb, or
accidental ways.  However, it is also up to me to cause the network to
work in the manner we need it to, and if I had a better understanding of
our traffic than Vixie has, /which I do/, then I am in a better place to
make intelligent decisions about what should and shouldn't be allowed
and at what rates.

In the meantime, all the "but but but THAT'LL BREAK THE INTARWEB" stuff,
okay, great, so they don't want to supply tools that might break things.
News flash, 300Gbps DNS attack underway.  Not like THAT will break 
anything.  

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]