[dns-operations] solutions for DDoS mitigation of DNS
Tessa Plum
tessa at plum.ovh
Thu Apr 2 03:51:05 UTC 2020
Hello Paul
We were under some attack like UDP flood to the authority servers, there
were a lot of UDP requests flooding to the servers. The traffic size was
about 20Gbps last time as I have said in last message. The clients seem
using spoofed IP addresses.
Thanks.
Tessa
Paul Vixie wrote:
> On Thursday, 2 April 2020 02:14:14 UTC Tessa Plum wrote:
>> Hello
>>
>> May I ask if there are any solutions for DDoS mitigation of DNS?
>> Both commercial or free solutions could be considered.
>>
>> Thanks.
>>
>> Tessa
>> https://plum.ovh/
>
> to keep your own authority servers from amplifying spoofed-source attacks, you
> need response rate limiting, available in bind9, dnsdist, nsd, (any others?)
>
> to keep your own recursive servers from amplifying spoofed-source attacks, you
> need ACL's that make it unreachable outside your specific client base.
>
> to keep your own servers of whatever kind from being ddos'd into congestion
> loss, you need massive overprovisioning including both local and global
> anycast. you may also need something like akamai's "clean feed" filtering.
>
More information about the dns-operations
mailing list