[dns-operations] Continued weekly DDoS fun
Tom Daly
tom at dyn-inc.com
Mon Jan 12 17:58:11 UTC 2009
> There are commercial DDoS mitigation products available from various
> vendors which specifically help mitigate DDoS against DNS (full
> disclosure: my employer, Cisco Systems, is one such vendor).
>
> There are also commercial DDoS mitigation services based upon these
> technologies, known as 'Clean Pipes' services, which provide this type
> of mitigation for a fee.
Roland,
Thanks for the suggestions. In our case, we have the detection and mitigation tools in house, our general problem is upstream bandwidth (we have a lot, but don't like going over commits). We also have some DPI gear we employ, but it really isn't worthwhile for non-port 53 type attacks (like shooting a bird with a canon). When the pipes flood, there really isn't much to be done.
> I'm unsure if either of these options is viable for dyndns.org;
> otherwise, S/RTBH is a common reaction/mitigation tool utilized by
> SPs to mitigate DDoS in general (usual cautions about being gamed into
> blocking non-attacking nodes/networks whose addresses are being
> spoofed applies).
RTBH is always an option, but this was hitting all NSes, so blackholing them all would be bad for our SLA. :) Certainly, if more providers supported features like Juniper's Flow Spec extensions to BGP, we'd never need to call a NOC and we could automate the whole problem away.
Tom
--
Tom Daly
tom at dyn-inc.com
Dynamic Network Services, Inc.
http://dynamicnetworkservices.com/
More information about the dns-operations
mailing list