[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

On Mar 29, 2013, at 6:58 PM, Joe Greco wrote:

> Really, I've spent a disappointing amount of time listening to the "but but but you can't DOOOOOOOOO that" 

What they're really worried about is folks arbitrarily deciding to permanently mask out ANY queries altogether as a matter of policy, rather than either rate-limiting them or selectively filtering them during an actual attack, and only within the scope of the servers/records being abused for that particular attack.

Many measures which are not only permissible but are often vitally necessary in order to achieve partial service recovery during an attack can cause prohibitive levels of brokenness when implemented as matters of permanently-enforced policy.  Given the history of such overt stupidity as blocking TCP/53, disallowing UDP DNS packets larger than 512 bytes, blocking ICMP necessary for PMTU-D, et. al., their concerns are not unreasonable.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton