[dns-operations] about anti-ddos DNS hostings

bert hubert bert.hubert at netherlabs.nl
Thu Jun 11 05:30:25 UTC 2015


On Thu, Jun 11, 2015 at 12:06:54PM +0800, Kevin C. wrote:
> Do you know which provider has a good anti-ddos systems and with a
> low price for bulk zones? I will suggest him switch to there.

No, this is something you can't offer right now. Geoff Huston's thinking on
this is instrumental:

http://labs.apnic.net/?p=624

"Defending your DNS is now a game that you only win if you can afford to win.
I worry that by concentrating on the victim rather than the attacker, as we
are being compelled to do, these attacks are creating a two tier DNS system.
One for those who can afford to pay for the highly advanced engineering that
allows a service to operate in the most trying and difficult of
circumstances, and what’s left, which is a third rate toxic DNS wasteland
that we’ve simply given up on."

"The DNS for the rest of us is vanishing in this toxic mire.  And it won’t
correct itself.  The attacks are aimed at defended points, so they increase
in intensity in line with the increases in defence levels of the highly
defended.  So everyone else is more and more vulnerable in the face of this
increasing malevolence.  Is there a way out of this loop of escalating
badness?  As good as all these attack deflection techniques are, wouldn’t it
be good if we could just call up the DNS police?  Can we shift our
collective focus back to the common good, and shift our focus away from
selected potential victims who can afford private protection and instead
focus on the attacker and the attacks that they carry out?"

I'd love to help point your customer somewhere, but no one is going to
credibly host DoS-attracting domains on the cheap for the reaons outlined
above.

	Bert




More information about the dns-operations mailing list