[dns-operations] Configurable TC=1?
Roland Dobbins
rdobbins at arbor.net
Mon Dec 21 15:16:31 UTC 2015
On 21 Dec 2015, at 21:25, Anand Buddhdev wrote:
> That's only true as long as the victim has sufficient inbound
> bandwidth.
> Once the inbound bandwidth exceeds the router interface limits, ACLs
> don't help. Genuine queries don't even make it to the server.
I understand that. That's why I specifically said that they would keep
the unwelcome traffic off the server itself; the fact that a sufficient
volume of such traffic could fill up transit links is so obvious that I
didn't feel a need to comment upon it.
> It might be a naive attack in your opinion, but it's still quite
> effective.
Hence by comment 'The sad part is that naive attacks like this succeed
all too often due
to the unpreparedness of the defenders (see below).'.
> There's only so much a defender can do. See below.
There's a lot more that defenders can do. I've written and presented
about it here and elsewhere, including at the RIPE conference.
It might be a good idea to ensure one fully understands the various
tools and operational practices which defenders can and do utilize every
day in order to successfully mitigate even large-scale DDoS attacks
before (incorrectly) implying that defenders are simply at the mercy of
attackers.
There are several .pdf presos in this public folder which touch on
various aspects of DDoS defense, FYI:
<https://app.box.com/s/4h2l6f4m8is6jnwk28cg>
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the dns-operations
mailing list