[dns-operations] Continued weekly DDoS fun

Tom Daly tom at dyn-inc.com
Mon Jan 12 17:52:03 UTC 2009


> Have you considered reducing the number of zones each nameserver is  
> authoritative for (and presumably vastly increasing the number of  
> available servers) so that you can isolate individual servers under  
> attack and protect the rest of your users?
> 
> Doing so might also make it a lot easier to identify whether  
> particular domains are attracting the packet love more than others -- 
> it's entirely possible that the attack is not directed at dyndns per 
> se, but at a domain that you happen to host. Figuring out which domain
> that is is difficult if each server hosts ten squidillion of them.

Hi Joe,
That's such a plain, simple, and elegant suggestion that I'm embarrassed I didn't think of it. In this case, the nameserver set is responsible for 300 zones or so (but millions of hostnames). Culling out a few of the most probable domains is a good idea. Thank you.

Latest update from our research is that this probably isn't spoofed. About 350 source /24s (distributed in ~90 /8s) involved in yesterday's attack. What are people's thoughts about contacting RIR contacts for each offending IP to request assistance? I tend to believe there is varying beliefs on whether this helps or not, from "You spammed me", or "We don't help with that", to "we'll actually help you." I know when we get reports to our abuse desk we handle them, but not sure about the particularly ISPs in the APAC region (where much of this packet love is from, so we believe).

> As to the more general solution to dealing with attack traffic, I keep
> hearing people advocating the solution "give money to arbor", not that
> I have any first-hand experience of such a solution, or any reason to 
> promote arbor above others in that space.

Anyone from arbor on the list? I've got PCAPs for you if you are. :)

Thanks,
Tom




More information about the dns-operations mailing list