On Mar 29, 2013, at 6:58 PM, Joe Greco wrote:
Really, I've spent a disappointing amount of time listening to the "but b= ut but you can't DOOOOOOOOO that"=20
What they're really worried about is folks arbitrarily deciding to permanen= tly mask out ANY queries altogether as a matter of policy, rather than eith= er rate-limiting them or selectively filtering them during an actual attack= , and only within the scope of the servers/records being abused for that pa= rticular attack.
Many measures which are not only permissible but are often vitally necessar= y in order to achieve partial service recovery during an attack can cause p= rohibitive levels of brokenness when implemented as matters of permanently-= enforced policy. Given the history of such overt stupidity as blocking TCP= /53, disallowing UDP DNS packets larger than 512 bytes, blocking ICMP neces= sary for PMTU-D, et. al., their concerns are not unreasonable.
There's a difference between "concerns" and bullheadedness. In the meantime, refusing to give admins tools to cope with an attack in a surgical-strike manner is basically just helping the attackers. As an administrator, I can cause brokenness in any number of clever, dumb, or accidental ways. However, it is also up to me to cause the network to work in the manner we need it to, and if I had a better understanding of our traffic than Vixie has, /which I do/, then I am in a better place to make intelligent decisions about what should and shouldn't be allowed and at what rates. In the meantime, all the "but but but THAT'LL BREAK THE INTARWEB" stuff, okay, great, so they don't want to supply tools that might break things. News flash, 300Gbps DNS attack underway. Not like THAT will break anything. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.