nanog mailing list archives
Re: Open DNS Resolver reflection attack Mitigation
From: Stephane Bortzmeyer <bortzmeyer () nic fr>
Date: Fri, 8 Jun 2012 22:11:27 +0200
On Fri, Jun 08, 2012 at 12:56:23PM -0700, Owen DeLong <owen () delong com> wrote a message of 28 lines which said:
IPv6 should be a simple matter of putting the same line in your ip6tables file.
My experience with attack mitigation is that tools do not always work as advertised and sometimes do bad things (such as crashing the machine). So, I agree, it "should be a simple matter" but I prefer to test first. [For instance, my IPv4 rule required a maximum of 2^28 buckets in memory while an IPv6 rule with --hashlimit-srcmask 64 would require a maximum of 2^64 buckets... What will be the effect on the system memory?]
Current thread:
- Open DNS Resolver reflection attack Mitigation Joe Maimon (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Dobbins, Roland (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Joe Maimon (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Stephane Bortzmeyer (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Joe Maimon (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Owen DeLong (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Stephane Bortzmeyer (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Owen DeLong (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Dobbins, Roland (Jun 08)
- rate limiting (Re: Open DNS Resolver reflection attack Mitigation) Paul Vixie (Jun 10)