It's quite possible to operate an open resolver while still making it very difficult to use in an amplification attack - maybe coach your user into using rate limiting if you are particularly keen not to 'shape' their traffic at this stage. PowerDNS has a very powerful load balancer that can be used effectively although it's name escapes me now. PowerDNS 3x and 4x also has an effective anti spoofing mechanism. *Kind Regards,Lee Fuller* *PGP Fingerprint <https://leefuller.io/pgp/>: * 4ACAEBA4B9EE1B3A075034302D5C3D050E6ED55A On 29 August 2016 at 18:04, Laszlo Hanyecz <laszlo@heliacal.net> wrote:
I know this is against the popular religion here but how is this abuse on the part of your customer? Google, Level3 and many others also run open resolvers, because they're useful services. This is why we can't have nice things.
On 2016-08-29 15:55, Jason Lee wrote:
NANOG Community,
I was curious how various players in this industry handle abuse complaints. I'm drafting a policy for the service provider I'm working for about handing of complaints registered against customer IP space. In this example I have a customer who is running an open resolver and have received a few complaints now regarding it being used as part of a DDoS attack.
My initial response was to inform the customer and ask them to fix it. Now that its still ongoing over a month later, I'd like to take action to remediate the issue myself with ACLs but our customer facing team is pushing back and without an idea of what the industry best practice is, management isn't sure which way to go.
I'm hoping to get an idea of how others handle these cases so I can develop our formal policy on this and have management sign off and be able to take quicker action in the future.
Thanks,
Jason