[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

> In message <20130329034419.GA26823 at meh.net.nz>, Ben Aitchison writes:
> > That said, a lot of these amplifications attacks use ANY requests, which 
> > normal clients don't.  And those could be rate limited down without
> > effecting normal traffic I'm sure.
> And you need to learn that normal clients *do* issue type any
> queries.  Blocking any queries would be easy if normal clients
> didn't issue any queries.  You would have need controls added to
> nameserver to block them if there wern't normal clients issuing any
> queries.

So you fsckin' rate limit them to a reasonable level.

Really, I've spent a disappointing amount of time listening to the
"but but but you can't DOOOOOOOOO that" from the ISC camp over the
years, and while I understand Vixie's concerns about breaking things
in unexpected ways, the reality of it all is that a DDoS attack is
trivially identifiable from other traffic for any number of reasons,
such as "like duh we don't usually see a megabit of queries from off
site" or "like duh we don't usually see repeated queries for the same
question from off site" or "like duh we don't usually see ANY queries
from off site".

So now go back and read what Ben wrote again, because

> > And those could be rate limited down without
> > effecting normal traffic I'm sure.


Look, this is a bad situation.  Many networks don't BCP38.  Many
networks have unlimited open recursers.  Many networks don't monitor
for trouble.  And then someone finds out how to take advantage.

Well, all those things are bad, I'm sure we agree.

However, some of us have decades of precedent and lots of deployment
that make running an open recurser a necessity.  That CAN be done, at
least in our case, through some exemptions, and then running everything
else through a drinking straw, because we KNOW that normal usage 
patterns of remote clients are ${x}.  Now sadly I can't easily do a
better job than just rate limiting inbound and outbound traffic
because ISC won't entertain the idea.

But what agenda does that bullheadedness serve?

If you think you're "saving DNS" by not allowing administrators to
twiddle with intelligent response rates, well, many of us will just
take a bigger wrench and fix it with the brute force method.

... JG
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.