[dns-operations] about anti-ddos DNS hostings

Mark E. Jeftovic markjr at easydns.com
Thu Jun 11 16:28:15 UTC 2015 


Mike Hoskins (michoski) wrote:

> 
> I don't work for amazon, but have used route53 as a cheaper alternative to
> Akamai.
> 
> Note neither of these are marketed as anti-DDoS as directly as services
> like Akamai, but the way in which the services are deployed provides
> better "protection" than your average hoster or individual.
>

You have to look at DDoS from two perspectives:

1) The direct target of the DDoS

2) Everybody else impacted as collateral damage of #1

If you're #1 there is no such thing as "cheap DDoS protection", unless
you're a non-profit and hookup with certain organizations that
specialize in helping non-profits. You could go to Cloudflare's free
options but they are (AFAIK) only free up to a certain point and may not
be desirable solutions (i.e. a web proxy / middle jump page / etc), not
to mention that they primarily provide (free) solutions for websites,
not DNS providers, etc.


Most  of the damage experienced from DDOS attacks are #2, collateral
damage and what we've always said in these situations is that the magic
bullet for surviving these types of DDOS attacks is to have multiple DNS
solutions/providers/vendors etc.

That works for end-users. If you have any DNS constellation that isn't
an exact match of the DDOS target's then you're going to come through
relatively unscathed.

If *you* are a DNS provider, you still have the issue of protecting your
systems whenever you get hit. That costs money and there are no "cheap"
ways to do this.

A vendor like Amazon Route 53 (or any other DNS vendor) is not a magic
bullet for DDoS attacks if *you* are the target.

They'll just get rid of you, one way or another (us included. Even if we
want to keep you as a customer, you're going to have to pay the premium
for DDoS mitigation and we'll move you over to a Staminus or a Cloudflare)

The key point which I'm trying to make, which most outfits who seem to
bring DDoS attacks to our door (and those of other DNS vendors) find
impossible to grasp is this:

The DDoS mitigation DNS providers pay a lot of money for is there to
keep their *other* customers online when *you* get DDOS-ed, and *not* to
provide DDOS mitigation for *you* for *cheap*.

If you're a small provider with not a lot of budget to spend on DDoS
mitigation the best strategy is not to get DDoS-ed. That isn't a Yogi
Bera-ism, you can actually do this much of the time by coming up with
some pre-screening rules you apply to domains *before* you allow them to
delegate to your servers.

Those rules would be unique to your situation and it doesn't always work
of course. You then need some kind of plan for those times when they do
sneak through, but if you can head off even one DDoS a year before it
starts you could be postponing your eventual ulcer or nervous breakdown
out a few good years before you finally lose your shit and throw in the
towel.

- mark


> 
> 
>> -----Original Message-----
>> From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
>> Behalf Of bert hubert
>> Sent: Thursday, June 11, 2015 11:00
>> To: Kevin C.
>> Cc: dns-operations at dns-oarc.net
>> Subject: Re: [dns-operations] about anti-ddos DNS hostings
>>
>> On Thu, Jun 11, 2015 at 12:06:54PM +0800, Kevin C. wrote:
>>> Do you know which provider has a good anti-ddos systems and with a low
>>> price for bulk zones? I will suggest him switch to there.
>> No, this is something you can't offer right now. Geoff Huston's thinking
>> on this is instrumental:
> 
> 
> Yes and no.  Those with existing large estates/geo footprint supported by
> other means than just selling DNS services are in a unique position to try.
> 
> 
>> http://labs.apnic.net/?p=624
>>
>> "Defending your DNS is now a game that you only win if you can afford to
>> win.
> 
> 
> Generally agreed, and not just DNS...DDoS in general.  This view is
> certainly older than May 2015, but becomes more true each day.
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 

-- 
Mark E. Jeftovic <markjr at easydns.com>
Founder & CEO, easyDNS Technologies Inc.
+1-(416)-535-8672 ext 225
Read my blog: http://markable.com

More information about the dns-operations mailing list