[dns-operations] Storm on the DNS

Marek Vavruša marek.vavrusa at nic.cz
Tue Dec 8 16:18:33 UTC 2015

Interesting things:

* 5mpps didn't consume the resources (back of the napkin calculations
says ~ 6 servers should cope with this), but saturated the pipes
* It looks easy to filter on fw, and RRL *should* mitigate this simple
attack (alas it wouldn't help much with saturated networks)

Does anybody know what kind of countermeasures were deployed (both
in-DNS and other filtering)?


On 8 December 2015 at 16:05, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Tue, Dec 01, 2015 at 09:16:58AM +0100,
>  Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote
>  a message of 21 lines which said:
>> Same thing this morning: shorter but apparently more powerful (more
>> servers down).
> And a press release "corporate style":
> http://root-servers.org/news/events-of-20151130.txt
> Trying to downplay the problem by pretending that DNSmon is not
> indicative of what happens to normal traffic. (I used dig and other
> programs during the storm and they confirmed that DNSmon was right.)
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list