[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Matthew Pounsett matt at conundrum.com
Sun Sep 4 15:30:58 UTC 2016

On 4 September 2016 at 11:14, Damian Menscher <damian at google.com> wrote:

> To help me know what to look for, can someone give a sense of what "large"
> means?  Not sure if you're thinking 1Mpps or 100Mpps here. ;)

Large is in the eye of the beholder, mostly based on his or her
experience.  In the past, I've seen authoritative infrastructure I'm
responsible for used to generate up to about 60Gb/s of outbound traffic
toward a single victim.  I don't recall the PPS specifically, but it would
be in the 10-20Mpps range probably.

> Also, it sounds like you're suggesting they find a single authoritative
> server to amplify off of, rather than distributing their attack across
> hundreds/thousands of domains?  That seems likely to limit their peak
> bandwidth unless the authoritative server is operated by a major provider,
> which may be why I never noticed this method.

I haven't seen anyone suggest that.

It's been rare for me to have an opportunity to speak to the victims that
my infrastructures have been aimed at, but in the one case that happened
they reported they were seeing attacks from multiple sources.  From their
point of view that likely means multiple authoritative infrastructures were
being used to attack them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160904/475ad569/attachment.html>

More information about the dns-operations mailing list