Hello, On Thu, 20 Feb 2020 at 21:30, Daniel Sterling <sterling.daniel@gmail.com> wrote:
As has been continually noted, this issue goes away if you use v4 TCP or v6 UDP.
IPv6 UDP is currently not broken, that doesn't mean v6 is the solution to this problem. It's just means the particular ISP did not yet deploy the same policies or "mitigations" for v6 traffic. As v6 adoption increases, so will abuse/misuse, especially when attackers notice that their attack traffic is rate-limited on v4 but not on v6 and P2P gaming switches from v4 to v6. And at some point this will lead to "feature parity" in IPv6. So while v6 UDP currently works, I don't think we can assume that's permanent. I disagree this approach is necessary to keep the network running and the pagers from buzzing. In a much smaller eyeball environment (with much smaller chokepoints), we have mapped possibly amplificated packets (ip frag, dns, ntp, memcached, et all) to a specific queue. Unless the links are congested, this traffic passes just as any other traffic and during congestion it only uses whatever bandwidth the queue has - no static rate-limits. I'm not saying this will fix whatever the policies discussed here are supposed to fix, but there is always a way to improve and make the mitigations more nuanced. Of course ISPs will protect the network and the customers. But whether you apply a simple rate-limiting for some traffic or some AI-assisted auto-mitigation for traffic misuse, you gotta be prepared to monitor and update it, staying on top of at least the major false-positives, short-term but long-term as well. After all, things tend to change over time. lukas