On Mon, Mar 25, 2013 at 12:51 PM, Nick Hilliard <nick@foobar.org> wrote:
On 25/03/2013 16:35, Alain Hebert wrote:
That might be just me, but I find those peers allowing their customers to spoof source IP addresses more at fault.
that is equally stupid and bad.
Nothing equal about it. Open resolvers (and other forms of amplification attacks like the basic smurf) are a problem if and only if a target's source IP address can be spoofed. Service providers intentionally or negligently permitting their users to spoof source addresses outside that ISP's domain are the *root cause* of the problem. Even if you close all the open resolvers, most authoritative responses are larger than the queries. At best you've shrunk the amplification factor. What will you do next? Insist that everybody host their DNS somewhere sophisticated rather than running their own server? Hassling the folks who run open resolvers further victimizes the innocent. If you want to solve the problem, start by cleaning up your border so that only locally valid sources can exit. Next, identify peers who fail to demonstrate adequate control over their sources. Finally, set filters on those peers so that sources inconsistent with the received routes are dropped. They won't like it. They'll find it inconvenient, even disruptive to their traffic engineering efforts. But at some point, TE has to take a back seat to closing network abuse issues. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004