Lukas Tribus wrote:
IPv6 UDP is currently not broken, that doesn't mean v6 is the solution
to this problem. It's just means the particular ISP did not yet deploy
the same policies or "mitigations" for v6 traffic.
It is more likely that the ISP does not support v6 at all.
In a much smaller eyeball environment (with
much smaller chokepoints), we have mapped possibly amplificated
packets (ip frag, dns, ntp, memcached, et all) to a specific queue.
Unless the links are congested, this traffic passes just as any other
traffic and during congestion it only uses whatever bandwidth the
queue has - no static rate-limits.
That is a bad idea.
Static rate limit is necessary to discourage DoS attackers.
If the attacker send 10Mbps stream to an amplifier and the stream
is redirected to a victim at 100Mbps, 10Mbps rate limiting negates
the amplification.
Masataka Ohta
