[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Simon Munton
Simon.Munton at communitydns.net
Wed Jun 22 09:48:16 UTC 2011
On 22/06/2011 09:25, Dobbins, Roland wrote:
> if the server(s) in question can afford logging
On our systems, pretty much any form of per-packet logging, especially
to disk, would create a self-D/DoS much quicker than iptables, and
probably trash the hardware in the meantime.
We run an intelligent back-end that post processes the query levels and
tweaks the hash-limits (burst & sustain) on a per-IP, per-node (anycast)
basis. So far its worked pretty well. Nothing is ever going to be
perfect, its always a balance.
Also, this is only a first line of defence, the second line is manual
packet analysis to try and identify ways to (mostly) filter just the
attack traffic.
More information about the dns-operations
mailing list