[dns-operations] Storm on the DNS

Bill Woodcock woody at pch.net
Tue Dec 1 15:34:15 UTC 2015


>> 在 2015年12月1日,15:53,Damian Menscher <damian at google.com> 写道:
>> When faced with a global outage, reducing the impact by achieving a partial site recovery is a good first step (true for any DDoS attack, not just DNS attacks).  It's not a great long-term plan, but I always say 90% up is better than 100% down.  Sacrificing some users buys you time (limiting PR and revenue impact of the outage), and you can then determine a strategy for mitigating the attack for the remaining affected users.

Yes, what he said.  Also, remember also that the attacks don’t come out of thin air…  They are, by and large, spoofed UDP, coming from non-BCP-38-compliant networks.  The finer the anycast granularity, the more the pain is constrained to the networks from which the attack traffic originates.  So, yes, some locations show red in DNSmon, others show green in DNSmon.  The green ones are the ones serving BCP-38-compliant networks, the red are the ones serving non-BCP-38-compliant networks.  Simply spending more money to make it less painful for people to ignore BCP-38 isn’t really a scalable plan.

                                -Bill




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151201/051f6da5/attachment.sig>


More information about the dns-operations mailing list