[dns-operations] Storm on the DNS
ogud at ogud.com
Sun Dec 6 22:06:02 UTC 2015
> On Dec 1, 2015, at 10:34 AM, Bill Woodcock <woody at pch.net> wrote:
>>> 在 2015年12月1日，15:53，Damian Menscher <damian at google.com> 写道：
>>> When faced with a global outage, reducing the impact by achieving a partial site recovery is a good first step (true for any DDoS attack, not just DNS attacks). It's not a great long-term plan, but I always say 90% up is better than 100% down. Sacrificing some users buys you time (limiting PR and revenue impact of the outage), and you can then determine a strategy for mitigating the attack for the remaining affected users.
> Yes, what he said. Also, remember also that the attacks don’t come out of thin air… They are, by and large, spoofed UDP, coming from non-BCP-38-compliant networks. The finer the anycast granularity, the more the pain is constrained to the networks from which the attack traffic originates. So, yes, some locations show red in DNSmon, others show green in DNSmon. The green ones are the ones serving BCP-38-compliant networks, the red are the ones serving non-BCP-38-compliant networks. Simply spending more money to make it less painful for people to ignore BCP-38 isn’t really a scalable plan.
I agree 100% with Bill, there is no reason to try to improve the service level of root servers close to bad Network operators,
We need a comprehensive map of network links that regularly allow spoofed traffic.
Right now the economics of defending DDoS attacks are all wrong, service providers need to spend lots of money and effort to increase capacity but attackers gain resources for free.
We need to increase the pain for people using providers that ignore BCP-38 filtering, then customers can vote with their feet. In the spam days cutting peering with providers of spam hosting was quite effective,
who will be first to cut peering arrangements to a non-BCP-38 provider?
More information about the dns-operations