[dns-operations] Continued weekly DDoS fun

Joe Abley jabley at hopcount.ca
Mon Jan 12 17:35:56 UTC 2009


On 2009-01-12, at 03:33, Tom Daly wrote:

> Our normal countermeasures are holding this back no problem, but the  
> frequency is getting pretty annoying. Is anyone else seeing anything  
> similar? Anyone have any more advanced mitigation techniques then  
> the good old 'find and filter' cat and mouse game?

Have you considered reducing the number of zones each nameserver is  
authoritative for (and presumably vastly increasing the number of  
available servers) so that you can isolate individual servers under  
attack and protect the rest of your users?

Doing so might also make it a lot easier to identify whether  
particular domains are attracting the packet love more than others --  
it's entirely possible that the attack is not directed at dyndns per  
se, but at a domain that you happen to host. Figuring out which domain  
that is is difficult if each server hosts ten squidillion of them.

As to the more general solution to dealing with attack traffic, I keep  
hearing people advocating the solution "give money to arbor", not that  
I have any first-hand experience of such a solution, or any reason to  
promote arbor above others in that space.


Joe




More information about the dns-operations mailing list