[dns-operations] about anti-ddos DNS hostings

Kevin C. kevin at dnsbed.com
Fri Jun 12 12:48:13 UTC 2015 

I really like what Mark said.
This is the real case happened at my end.


在 2015/6/12 星期五 0:28, Mark E. Jeftovic 写道:
>
>
> Mike Hoskins (michoski) wrote:
>
>>
>> I don't work for amazon, but have used route53 as a cheaper alternative to
>> Akamai.
>>
>> Note neither of these are marketed as anti-DDoS as directly as services
>> like Akamai, but the way in which the services are deployed provides
>> better "protection" than your average hoster or individual.
>>
>
> You have to look at DDoS from two perspectives:
>
> 1) The direct target of the DDoS
>
> 2) Everybody else impacted as collateral damage of #1
>
> If you're #1 there is no such thing as "cheap DDoS protection", unless
> you're a non-profit and hookup with certain organizations that
> specialize in helping non-profits. You could go to Cloudflare's free
> options but they are (AFAIK) only free up to a certain point and may not
> be desirable solutions (i.e. a web proxy / middle jump page / etc), not
> to mention that they primarily provide (free) solutions for websites,
> not DNS providers, etc.
>
>
> Most  of the damage experienced from DDOS attacks are #2, collateral
> damage and what we've always said in these situations is that the magic
> bullet for surviving these types of DDOS attacks is to have multiple DNS
> solutions/providers/vendors etc.
>
> That works for end-users. If you have any DNS constellation that isn't
> an exact match of the DDOS target's then you're going to come through
> relatively unscathed.
>
> If *you* are a DNS provider, you still have the issue of protecting your
> systems whenever you get hit. That costs money and there are no "cheap"
> ways to do this.
>
> A vendor like Amazon Route 53 (or any other DNS vendor) is not a magic
> bullet for DDoS attacks if *you* are the target.
>
> They'll just get rid of you, one way or another (us included. Even if we
> want to keep you as a customer, you're going to have to pay the premium
> for DDoS mitigation and we'll move you over to a Staminus or a Cloudflare)
>
> The key point which I'm trying to make, which most outfits who seem to
> bring DDoS attacks to our door (and those of other DNS vendors) find
> impossible to grasp is this:
>
> The DDoS mitigation DNS providers pay a lot of money for is there to
> keep their *other* customers online when *you* get DDOS-ed, and *not* to
> provide DDOS mitigation for *you* for *cheap*.
>
> If you're a small provider with not a lot of budget to spend on DDoS
> mitigation the best strategy is not to get DDoS-ed. That isn't a Yogi
> Bera-ism, you can actually do this much of the time by coming up with
> some pre-screening rules you apply to domains *before* you allow them to
> delegate to your servers.
>
> Those rules would be unique to your situation and it doesn't always work
> of course. You then need some kind of plan for those times when they do
> sneak through, but if you can head off even one DDoS a year before it
> starts you could be postponing your eventual ulcer or nervous breakdown
> out a few good years before you finally lose your shit and throw in the
> towel.
>
> - mark
>
>
>>
>>
>>> -----Original Message-----
>>> From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
>>> Behalf Of bert hubert
>>> Sent: Thursday, June 11, 2015 11:00
>>> To: Kevin C.
>>> Cc: dns-operations at dns-oarc.net
>>> Subject: Re: [dns-operations] about anti-ddos DNS hostings
>>>
>>> On Thu, Jun 11, 2015 at 12:06:54PM +0800, Kevin C. wrote:
>>>> Do you know which provider has a good anti-ddos systems and with a low
>>>> price for bulk zones? I will suggest him switch to there.
>>> No, this is something you can't offer right now. Geoff Huston's thinking
>>> on this is instrumental:
>>
>>
>> Yes and no.  Those with existing large estates/geo footprint supported by
>> other means than just selling DNS services are in a unique position to try.
>>
>>
>>> http://labs.apnic.net/?p=624
>>>
>>> "Defending your DNS is now a game that you only win if you can afford to
>>> win.
>>
>>
>> Generally agreed, and not just DNS...DDoS in general.  This view is
>> certainly older than May 2015, but becomes more true each day.
>>
>>
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>
>

More information about the dns-operations mailing list