nanog mailing list archives
Re: Open Resolver Problems
From: William Herrin <bill () herrin us>
Date: Mon, 25 Mar 2013 13:51:44 -0400
On Mon, Mar 25, 2013 at 12:51 PM, Nick Hilliard <nick () foobar org> wrote:
On 25/03/2013 16:35, Alain Hebert wrote:That might be just me, but I find those peers allowing their customers to spoof source IP addresses more at fault.that is equally stupid and bad.
Nothing equal about it. Open resolvers (and other forms of amplification attacks like the basic smurf) are a problem if and only if a target's source IP address can be spoofed. Service providers intentionally or negligently permitting their users to spoof source addresses outside that ISP's domain are the *root cause* of the problem. Even if you close all the open resolvers, most authoritative responses are larger than the queries. At best you've shrunk the amplification factor. What will you do next? Insist that everybody host their DNS somewhere sophisticated rather than running their own server? Hassling the folks who run open resolvers further victimizes the innocent. If you want to solve the problem, start by cleaning up your border so that only locally valid sources can exit. Next, identify peers who fail to demonstrate adequate control over their sources. Finally, set filters on those peers so that sources inconsistent with the received routes are dropped. They won't like it. They'll find it inconvenient, even disruptive to their traffic engineering efforts. But at some point, TE has to take a back seat to closing network abuse issues. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: Open Resolver Problems, (continued)
- Re: Open Resolver Problems Mattias Ahnberg (Mar 25)
- Re: Open Resolver Problems Jared Mauch (Mar 25)
- Re: Open Resolver Problems Nick Hilliard (Mar 25)
- Re: Open Resolver Problems Alain Hebert (Mar 25)
- Re: Open Resolver Problems Joe Abley (Mar 25)
- Re: Open Resolver Problems Måns Nilsson (Mar 25)
- Re: Open Resolver Problems Joe Abley (Mar 25)
- Re: Open Resolver Problems Mikael Abrahamsson (Mar 25)
- Re: Open Resolver Problems Nick Hilliard (Mar 25)
- Re: Open Resolver Problems Alain Hebert (Mar 25)
- Re: Open Resolver Problems William Herrin (Mar 25)
- Re: Open Resolver Problems Nick Hilliard (Mar 25)
- Re: Open Resolver Problems William Herrin (Mar 25)
- Re: Open Resolver Problems Jay Ashworth (Mar 26)
- Re: Open Resolver Problems Mikael Abrahamsson (Mar 26)
- Re: Open Resolver Problems Jared Mauch (Mar 25)
- Re: Open Resolver Problems Jon Lewis (Mar 26)
- Re: Open Resolver Problems Jared Mauch (Mar 26)
- Re: Open Resolver Problems Jared Mauch (Mar 25)
- RE: Open Resolver Problems Mike Simkins (Mar 25)