> On 4 Dec 2023, at 08:21, Michael Hare via NANOG <[email protected]> wrote:
>
> John-
>
> This is little consolation, but at AS3128, I see the same thing to our
> downstream at times, claiming to come from both 13335 and 15169 often
> simultaneously at the tune of 25Kpps , "assuming it's not spoofed", which is
> pragmatically impossible to prove for me given our indirect relationships
> with these companies. When I see these events, I typically also see a wide
> variety of country codes participating simultaneously. Again, assuming it's
> not spoofed. To me it just looks like effective harassment with 13335/15169
> helping out. I pine for the internet of the 1990s.
Just set TC=1 for those clients. If you get queries over TCP then they where
not spoofed. If they are using DNS COOKIE (RFC 7873) you can send back
BADCOOKIE to the initial (client cookie only) UDP request with your server
cookie. Identifying real DNS clients has been possible for years now. It’s
not hard.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
