[dns-operations] Continued weekly DDoS fun

[Tom Daly]

> There are commercial DDoS mitigation products available from various 
> vendors which specifically help mitigate DDoS against DNS (full  
> disclosure:  my employer, Cisco Systems, is one such vendor).
> 
> There are also commercial DDoS mitigation services based upon these  
> technologies, known as 'Clean Pipes' services, which provide this type
> of mitigation for a fee.

Roland,
Thanks for the suggestions. In our case, we have the detection and mitigation tools in house, our general problem is upstream bandwidth (we have a lot, but don't like going over commits). We also have some DPI gear we employ, but it really isn't worthwhile for non-port 53 type attacks (like shooting a bird with a canon). When the pipes flood, there really isn't much to be done.

> I'm unsure if either of these options is viable for dyndns.org;  
> otherwise, S/RTBH is a common  reaction/mitigation tool utilized by  
> SPs to mitigate DDoS in general (usual cautions about being gamed into
> blocking non-attacking nodes/networks whose addresses are being  
> spoofed applies).

RTBH is always an option, but this was hitting all NSes, so blackholing them all would be bad for our SLA. :) Certainly, if more providers supported features like Juniper's Flow Spec extensions to BGP, we'd never need to call a NOC and we could automate the whole problem away.

Tom

-- 
Tom Daly
tom at dyn-inc.com
Dynamic Network Services, Inc.
http://dynamicnetworkservices.com/