Lukas Tribus wrote:
IPv6 UDP is currently not broken, that doesn't mean v6 is the solution to this problem. It's just means the particular ISP did not yet deploy the same policies or "mitigations" for v6 traffic.
It is more likely that the ISP does not support v6 at all.
In a much smaller eyeball environment (with much smaller chokepoints), we have mapped possibly amplificated packets (ip frag, dns, ntp, memcached, et all) to a specific queue. Unless the links are congested, this traffic passes just as any other traffic and during congestion it only uses whatever bandwidth the queue has - no static rate-limits.
That is a bad idea. Static rate limit is necessary to discourage DoS attackers. If the attacker send 10Mbps stream to an amplifier and the stream is redirected to a victim at 100Mbps, 10Mbps rate limiting negates the amplification. Masataka Ohta