[dns-operations] DDOS/Collateral Damage BCPs

John Kristoff jtk at cymru.com
Fri Apr 16 01:31:09 UTC 2010

On Thu, 15 Apr 2010 09:43:19 -0700
Barry Raveendran Greene <bgreene at senki.org> wrote:

> They are getting the normal vendor advise of "put a bigger firewall,
> DPI, Loadbalancer." But, I usually find that this is not the best
> advice.

Certainly won't help much if the pipes on the way to those boxes are
already full.

> Q. Has anyone done any recent work on "architecture" guides for SP's
> DNS? This crew is using bind, they are cluefull enough to break apart
> their customer resolvers and the slaves, and are willing to make
> changes.

Ultimately if someone wants to send enough packets their way, there may
not be much they can do until it happens.  Does anyone have enough
capacity to face down the packet sending potential of large numbers of
well connected colluding Internet hosts?

Anycast can help significantly and is widely used in the DNS operations
community.  However, many smaller or regional networks can get creative
in obtaining geographic (physical and topological) diversity for their
anycast nodes.  Lots of companies can run secondaries at reasonable
cost.  Cooperating organizations can also agree to host each other's
zones and perform secondary service.  More than a few .edu's have a
history of cooperation like this.

You could take a lesson from the DNS fast flux (and so-called double
fast flux) innovations commonly used by some phishing sites for example.
I know of one vendor who was at least considering this as a service, but
I'm not sure if anyone has commercialized it yet.

Have they collected data and reached out to the community?  Its not
much fun to do, it can be slow and its certainly low tech, but they
should always be doing that alongside other active mitigation

Rodney and I had a paper where we had an entire section devoted to
mitigation strategies from the DNS service provider perspective.  I
wouldn't say its a architecture guide, but it might be helpful.
Unfortunately the official journal page seems to be offline, but here
is a local copy I had.  It might be a draft since we seem to have an
extra 'e' in Joffe.  :-)



More information about the dns-operations mailing list