25 Mar
2013
25 Mar
'13
12:51 p.m.
On 25/03/2013 16:35, Alain Hebert wrote:
That might be just me, but I find those peers allowing their customers to spoof source IP addresses more at fault.
that is equally stupid and bad.
PS: Some form of adaptive rate limitation works for it btw =D
no, it doesn't. In order to ensure that your resolver clients are serviced properly, you need to keep the DNS query rate high enough that if someone has a large bcp38-enabled botnet, they can trash the hell out of whoever they want. The best solution is to disable open recursion completely, and police your clients regularly. Nick