[dns-operations] solutions for DDoS mitigation of DNS
tessa at plum.ovh
Thu Apr 2 03:51:05 UTC 2020
We were under some attack like UDP flood to the authority servers, there
were a lot of UDP requests flooding to the servers. The traffic size was
about 20Gbps last time as I have said in last message. The clients seem
using spoofed IP addresses.
Paul Vixie wrote:
> On Thursday, 2 April 2020 02:14:14 UTC Tessa Plum wrote:
>> May I ask if there are any solutions for DDoS mitigation of DNS?
>> Both commercial or free solutions could be considered.
> to keep your own authority servers from amplifying spoofed-source attacks, you
> need response rate limiting, available in bind9, dnsdist, nsd, (any others?)
> to keep your own recursive servers from amplifying spoofed-source attacks, you
> need ACL's that make it unreachable outside your specific client base.
> to keep your own servers of whatever kind from being ddos'd into congestion
> loss, you need massive overprovisioning including both local and global
> anycast. you may also need something like akamai's "clean feed" filtering.
More information about the dns-operations