[dns-operations] CloudShield advices against dDoS

WBrown at e1b.org WBrown at e1b.org
Wed Feb 20 18:18:43 UTC 2013

Stephane wrote on 02/20/2013 11:46:51 AM:

> http://www.cloudshield.com/applications/dns-control-traffic-load.asp
> My first reaction was "These solutions are incredibly stupid" and my
> second one "But let's check among the experts at the dns-operations ML
> before trolling".

Even though I manage our name servers, I'm more of a DNS data consumer.... 
 And two of his three points strike me as seriously flawed.

His first suggestion is to return false data instead of NXDOMAIN.  So a 
mail server that is attempting to deliver mail in good faith will have to 
connect to itself to find out that user at bogusdomain.com is invalid?  And 
if it is an outbound relay, it may loop that message several times 
depending on configuration before dropping it.  If it had received an 
NXDOMAIN, it may not have accepted the message in the first place.  I'm 
sure there are other situations where this will cause problems. 

"This approach will drastically reduce traffic in case of an attack." Does 
it really?

His second suggestion actually makes some sense.  If your server can't 
handle more than X, don't allow more than X to receive it.  But make sure 
X is sufficient to meet demand!  Kind of like a two pound bird trying to 
lay a three pound egg. 

The third point makes me want to lock him out of all computers on the 
planet and give him an Etch A Sketch.  I had a network "security" guy here 
do this to me.  He threw up a firewall rule preventing more than Y 
connections per minute.  I forget the actual value of Y.  Well, my spam 
filters handling about 1,000 messages per minute could no longer reach the 
DNS servers for the 5 or more DNS queries per message.  Of course there 
was absolutely no notification that this change was being made.  It took 
me three days to figure out what the frack happened.  Only the off-hand 
comment of one of the other network staff tipped me off.  Thank $DIETY 
he's long gone and I got to build two more DNS servers dedicated to the 
spam filters.

Baseline the normal traffic before making such stupid assumptions!

Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.

More information about the dns-operations mailing list