[dns-operations] First experiments with DNS dampening to fight amplification attacks

Lutz Donnerhacke lutz at iks-jena.de
Mon Sep 24 14:48:38 UTC 2012

Hi everybody,

after serveral heavy misuse of my authoritive servers, I was urged to
*solve* the problem. This is obviously not possible, but I'd like to share
my results with you.

I managed to drop the outgoing bandwith from a saturated 100Mbps to 80% of
the incoming attack data rate in a first step. Now I so stop each attack
within 40 packets. I do only respond to 30 out of 10000 queries.

Most production traffic is untouched. There are some collateral damage,
which needs to be investigated, i.e. recursive resolvers of IPv6 tunnel
providers with qmail customers are overblocked from time to time: The
defaults are not optimal yet.

Please have a look at http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening

More information about the dns-operations mailing list