On Mon, Mar 25, 2013 at 2:09 PM, Nick Hilliard <nick@foobar.org> wrote:
On 25/03/2013 17:51, William Herrin wrote:
Hassling the folks who run open resolvers further victimizes the innocent.
running open resolvers will continue to be a major problem as a DDoS platform on the Internet until everyone implements BCP38. When everyone has implemented ingress filtering, we can have a beer and agree that running open resolvers is less harmful. Until then, though, they're a menace.
Nick, Running [unauthenticated UDP-based service du jour] will continue to be a major problem as a DDoS platform on the Internet until everyone implements BCP38. That [unauthenticated UDP-based service du jour] should thus be disallowed is an untenable position. We depend on [unauthenticated UDP-based service du jour] for the correct operation of the Internet, including such examples as authoritative DNS servers. We've been down this path before where we try to tighten the belt on everything we don't absolutely critically need for the sake of allowing the root problem to keep eking by. It ain't pretty and ultimately it isn't successful either: we merely create an arms race where the bad actors converge on the services we -can't- shut down. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004