It's quite possible to operate an open resolver while still making it very difficult to use in an amplification attack - maybe coach your user into using rate limiting if you are particularly keen not to 'shape' their traffic at this stage. PowerDNS has a very powerful load balancer that can be used effectively although it's name escapes me now. PowerDNS 3x and 4x also has an effective anti spoofing mechanism.
*Kind Regards,Lee Fuller* *PGP Fingerprint <https://leefuller.io/pgp/>: * 4ACAEBA4B9EE1B3A075034302D5C3D050E6ED55A On 29 August 2016 at 18:04, Laszlo Hanyecz <las...@heliacal.net> wrote: > I know this is against the popular religion here but how is this abuse on > the part of your customer? Google, Level3 and many others also run open > resolvers, because they're useful services. This is why we can't have nice > things. > > > > On 2016-08-29 15:55, Jason Lee wrote: > >> NANOG Community, >> >> I was curious how various players in this industry handle abuse >> complaints. >> I'm drafting a policy for the service provider I'm working for about >> handing of complaints registered against customer IP space. In this >> example >> I have a customer who is running an open resolver and have received a few >> complaints now regarding it being used as part of a DDoS attack. >> >> My initial response was to inform the customer and ask them to fix it. Now >> that its still ongoing over a month later, I'd like to take action to >> remediate the issue myself with ACLs but our customer facing team is >> pushing back and without an idea of what the industry best practice is, >> management isn't sure which way to go. >> >> I'm hoping to get an idea of how others handle these cases so I can >> develop >> our formal policy on this and have management sign off and be able to take >> quicker action in the future. >> >> Thanks, >> >> Jason >> > >
