[dns-operations] Configurable TC=1?

Roland Dobbins rdobbins at arbor.net
Mon Dec 21 15:16:31 UTC 2015

On 21 Dec 2015, at 21:25, Anand Buddhdev wrote:

> That's only true as long as the victim has sufficient inbound 
> bandwidth.
> Once the inbound bandwidth exceeds the router interface limits, ACLs
> don't help. Genuine queries don't even make it to the server.

I understand that.  That's why I specifically said that they would keep 
the unwelcome traffic off the server itself; the fact that a sufficient 
volume of such traffic could fill up transit links is so obvious that I 
didn't feel a need to comment upon it.

> It might be a naive attack in your opinion, but it's still quite 
> effective.

Hence by comment 'The sad part is that naive attacks like this succeed 
all too often due
to the unpreparedness of the defenders (see below).'.

> There's only so much a defender can do. See below.

There's a lot more that defenders can do.  I've written and presented 
about it here and elsewhere, including at the RIPE conference.

It might be a good idea to ensure one fully understands the various 
tools and operational practices which defenders can and do utilize every 
day in order to successfully mitigate even large-scale DDoS attacks 
before (incorrectly) implying that defenders are simply at the mercy of 

There are several .pdf presos in this public folder which touch on 
various aspects of DDoS defense, FYI:


Roland Dobbins <rdobbins at arbor.net>

More information about the dns-operations mailing list