David Schwartz's questions

Amazon's Elastic Load Balancer supports PROXY protocol version 1. This allows the server behind the load balancer to determine the original source IP address of a client connection.

However, the protocol specification makes clear in sections 2 and 5 that you must somehow ensure that only authorized endpoints can connect to a port that supports this protocol. Otherwise, a malicious user could connect directly to the server, bypass the proxy, and send a PROXY header claiming any source IP address they wish.

My question is, how do you do this with ELB? As far as I can tell, there's no fixed list of source IP addresses that can connect to your servers. There's no way to restrict a port so that only your ELB can connect to it. It seems that anyone can create an EC2 instance and connect directly to your server on the same port the ELB proxies to, impersonate the load balancer, and claim to be connecting from any IP address they please.

That can't be right. What am I missing?

We run public-facing recursive DNS servers on Linux machines. We've been used for DNS amplification attacks. Are there any recommended iptables rules that would help mitigate these attacks?

The obvious solution is just to limit outbound DNS packets to a certain traffic level. But I was hoping to find something a little bit more clever so that an attack just blocks off traffic to the victim IP address.

I've searched for advice and suggestions, but they all seem to be "don't run public-facing recursive name servers". Unfortunately, we are backed into a situation where things that are not easy to change will break if we don't do so, and this is due to decisions made more than a decade ago before these attacks were an issue.