[dns-operations] blocking recursers

Randy Bush randy at psg.com
Sat Mar 25 21:00:35 UTC 2006


>> presume i serve significant, i.e. users will notice if i
>> reject, zones.
> are you serving zones as a "tier" 1 (root), 2 (tld) or 3 (rest) ?
> I'll assume we'll be talking about "tier 3", cause my head would
> hurt way too much if I'd extrapolate to tier 2 or even 1... ;D

by your terms 2 and 3

>> if i had a record of the recursive servers used to reflect
>> an attack at my servers, would i be justified in blocking
>> every-day queries from them until they tested recursion-
>> free?  (with lots of explanation and clue-pots, of course)
> 
> Blocking abusive traffic is something within your rights as a network 
> c.q. services owner, but very much dependant on other things like 
> service agreements, contracts etc. But in principle, yes. ;)
> 
> Blocking *possible* abusive traffic (or something with a very high 
> likelyhood of being unwanted, abusive etc) can also be justified, if 
> precautions are taken to prevent and mitigate false positives.

but this is not blocking either abusive or potentially abusive
traffic.  the problem is that the abusive traffic, when it comes,
is not usefully blockable.  hence the preemptive coercion, some
have called it extortion, blocking legitimate traffic in an attempt
to force social change.

>> same question if it is a list of recursers used to reflect
>> an attack on someone else's servers.
> 
> If someone is a known criminal in .nl, why should you judge him
> as someone with a completely clean slate in .de ? On the other
> hand, if someone is a suspect, you should enquire a bit more, but
> not presume him/her/it guilty upfront.

i think it is a legitimate question to explore the ethiccal and
legal space of harming in self-defence when self can not show it
has been attacked.

>> same question if it is a list of recursers not yet shown to be
>> used in an attack.  what have they done wrongly?  have they not
>> followed the standards, etc?
> 
> They can be abused, that's one side of the story... However, do you 
> know if it is provided in a "responsible" (aka monitored, tightly 
> controlled) or unresponsible manner ?

at four in the morning, when the orns are used to generate 5gb
toward my server, i don't think whether they monitor is gonna be
responsive enough to suit my needs.

> Doing this as a massive scan (like ORDB, SORBS, etc) however is
> something I have reservations about.

because it is invasive?  or because it is too vigilante?  or ...?

> But, perhaps you could share some insights as to why you're
> asking ? ;)

no hidden agenda.  i am trying to think this thing through, and am
not so self-inflated that i am not interested in the opions of
others.

randy




More information about the dns-operations mailing list