[dns-operations] CloudShield advices against dDoS
WBrown at e1b.org
WBrown at e1b.org
Wed Feb 20 18:18:43 UTC 2013
Stephane wrote on 02/20/2013 11:46:51 AM:
> http://www.cloudshield.com/applications/dns-control-traffic-load.asp
>
> My first reaction was "These solutions are incredibly stupid" and my
> second one "But let's check among the experts at the dns-operations ML
> before trolling".
Even though I manage our name servers, I'm more of a DNS data consumer....
And two of his three points strike me as seriously flawed.
His first suggestion is to return false data instead of NXDOMAIN. So a
mail server that is attempting to deliver mail in good faith will have to
connect to itself to find out that user at bogusdomain.com is invalid? And
if it is an outbound relay, it may loop that message several times
depending on configuration before dropping it. If it had received an
NXDOMAIN, it may not have accepted the message in the first place. I'm
sure there are other situations where this will cause problems.
"This approach will drastically reduce traffic in case of an attack." Does
it really?
His second suggestion actually makes some sense. If your server can't
handle more than X, don't allow more than X to receive it. But make sure
X is sufficient to meet demand! Kind of like a two pound bird trying to
lay a three pound egg.
The third point makes me want to lock him out of all computers on the
planet and give him an Etch A Sketch. I had a network "security" guy here
do this to me. He threw up a firewall rule preventing more than Y
connections per minute. I forget the actual value of Y. Well, my spam
filters handling about 1,000 messages per minute could no longer reach the
DNS servers for the 5 or more DNS queries per message. Of course there
was absolutely no notification that this change was being made. It took
me three days to figure out what the frack happened. Only the off-hand
comment of one of the other network staff tipped me off. Thank $DIETY
he's long gone and I got to build two more DNS servers dedicated to the
spam filters.
Baseline the normal traffic before making such stupid assumptions!
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
More information about the dns-operations
mailing list