[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Simon Munton Simon.Munton at communitydns.net
Wed Jun 22 09:48:16 UTC 2011

On 22/06/2011 09:25, Dobbins, Roland wrote:
> if the server(s) in question can afford logging

On our systems, pretty much any form of per-packet logging, especially 
to disk, would create a self-D/DoS much quicker than iptables, and 
probably trash the hardware in the meantime.

We run an intelligent back-end that post processes the query levels and 
tweaks the hash-limits (burst & sustain) on a per-IP, per-node (anycast) 
basis. So far its worked pretty well. Nothing is ever going to be 
perfect, its always a balance.

Also, this is only a first line of defence, the second line is manual 
packet analysis to try and identify ways to (mostly) filter just the 
attack traffic.

More information about the dns-operations mailing list