In message <20130329034419.GA26823@meh.net.nz>, Ben Aitchison writes:
That said, a lot of these amplifications attacks use ANY requests, which normal clients don't. And those could be rate limited down without effecting normal traffic I'm sure.
And you need to learn that normal clients *do* issue type any queries. Blocking any queries would be easy if normal clients didn't issue any queries. You would have need controls added to nameserver to block them if there wern't normal clients issuing any queries.
So you fsckin' rate limit them to a reasonable level. Really, I've spent a disappointing amount of time listening to the "but but but you can't DOOOOOOOOO that" from the ISC camp over the years, and while I understand Vixie's concerns about breaking things in unexpected ways, the reality of it all is that a DDoS attack is trivially identifiable from other traffic for any number of reasons, such as "like duh we don't usually see a megabit of queries from off site" or "like duh we don't usually see repeated queries for the same question from off site" or "like duh we don't usually see ANY queries from off site". So now go back and read what Ben wrote again, because
And those could be rate limited down without effecting normal traffic I'm sure.
THIS BIT IS THE EFFIN' POINT, WHICH YOU GUYS KEEP EFFIN' IGNORING. Look, this is a bad situation. Many networks don't BCP38. Many networks have unlimited open recursers. Many networks don't monitor for trouble. And then someone finds out how to take advantage. Well, all those things are bad, I'm sure we agree. However, some of us have decades of precedent and lots of deployment that make running an open recurser a necessity. That CAN be done, at least in our case, through some exemptions, and then running everything else through a drinking straw, because we KNOW that normal usage patterns of remote clients are ${x}. Now sadly I can't easily do a better job than just rate limiting inbound and outbound traffic because ISC won't entertain the idea. But what agenda does that bullheadedness serve? If you think you're "saving DNS" by not allowing administrators to twiddle with intelligent response rates, well, many of us will just take a bigger wrench and fix it with the brute force method. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.