robt at cymru.com
Thu Mar 2 01:39:49 UTC 2006
] if i have a traffic problem, i tend to look to
] rate limiting techniques - not shutting down
] services. e.g. add -lots- more open recursive
] dns servers and each of them being rate limited
] to ~10% of first link b/w.
The problem with rate limiting is that it doesn't have a
discriminating palette; it will block or limit the good with
the bad. :)
Rate limiting also doesn't help if the amplifiers are limited
to circa 10% of their bandwidth, yet that is 100% more
bandwidth than the target has available. The miscreants
still launch attacks from dial ups. As one miscreant noted,
10K of just about anything sending pings can still hurt.
DDoS is simply a question of resource exhaustion. Bandwidth
is a resource that can be exhausted. Interrupt saturation,
socket queues, et al.
ASSERT(coffee != empty);
More information about the dns-operations