[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

On Mon, Mar 25, 2013 at 12:51 PM, Nick Hilliard <nick at foobar.org> wrote:
> On 25/03/2013 16:35, Alain Hebert wrote:
>>     That might be just me, but I find those peers allowing their
>> customers to spoof source IP addresses more at fault.
> that is equally stupid and bad.

Nothing equal about it. Open resolvers (and other forms of
amplification attacks like the basic smurf) are a problem if and only
if a target's source IP address can be spoofed. Service providers
intentionally or negligently permitting their users to spoof source
addresses outside that ISP's domain are the *root cause* of the

Even if you close all the open resolvers, most authoritative responses
are larger than the queries. At best you've shrunk the amplification
factor. What will you do next? Insist that everybody host their DNS
somewhere sophisticated rather than running their own server?

Hassling the folks who run open resolvers further victimizes the
innocent. If you want to solve the problem, start by cleaning up your
border so that only locally valid sources can exit. Next, identify
peers who fail to demonstrate adequate control over their sources.
Finally, set filters on those peers so that sources inconsistent with
the received routes are dropped.

They won't like it. They'll find it inconvenient, even disruptive to
their traffic engineering efforts. But at some point, TE has to take a
back seat to closing network abuse issues.

Bill Herrin

William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004