[dns-operations] about DNS attack

Damian Menscher damian at google.com
Sat May 31 02:09:26 UTC 2014

On Fri, May 30, 2014 at 1:30 AM, hua peng <huapeng at arcor.de> wrote:

> The people I know from a DNS service provider said, once they got 60Gbps
> of DDoS attack. I am just curious that for a common DNS cluster how can
> it defend that large a flood? Does this mean at least the provider's
> network bandwidth must be larger than 60Gbps? And then how the software
> handle this large amount of queries?

Attacks of that size are starting to become commonplace via amplification
as Roland mentions.  Your routers can filter them (assuming sufficient
peering capacity) by rate limiting packets that are likely participating in
such an attack (easy to distinguish by source-port and size).

There are also occasional direct (not amplified) attacks of that scale.
 You can absorb them by using anycast to prevent the attack from
overwhelming any single datacenter, then running a pool of machines in each
location to handle local load.  Most attacks of that scale are using large
packets, so the query rate is not as high as you might think (but it can
still be quite high!).

Attacks at this scale are beyond the capabilities of most organizations, so
you should always do your part to identify and dismantle the botnet
infrastructure when possible.  Collecting a list of participating IPs and
notifying their abuse contacts helps.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140530/06f30fe6/attachment.html>

More information about the dns-operations mailing list