[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems



 On 03/25/13 12:51, Nick Hilliard wrote:
> On 25/03/2013 16:35, Alain Hebert wrote:
>>     That might be just me, but I find those peers allowing their
>> customers to spoof source IP addresses more at fault.
> that is equally stupid and bad.

    In my eyes, those peers are the source of it.

    One can justify Open Relay and the lag into moving into not being an
attack vector... while the  case for allowing IP spoofing is a tad
harder to justify.

>>     PS: Some form of adaptive rate limitation works for it btw =D
> no, it doesn't.  In order to ensure that your resolver clients are serviced
> properly, you need to keep the DNS query rate high enough that if someone
> has a large bcp38-enabled botnet, they can trash the hell out of whoever
> they want.

    We all need to be more flexible and actually work toward fixing both
end of the issue.

> The best solution is to disable open recursion completely, and police your
> clients regularly.
> Nick

    I just intervene on one of today's DNS Amp... which is going to many
targets mind you... on a client with a NT4.0 Server and another with
FreeBSD 5.1 =D
    ( You can say bye bye to that NT4.0 client revenue :( )

    Now about some of "those" peers start enforcing some form of source
IP rules...

    PS: The Open Relay situation is easy to fix for a subscriber type
corp (like say a Cable provider)... and less for smaller outfit
providing all sort of IT services.

Alain Hebert                                ahebert at pubnix.net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443