[dns-operations] solutions for DDoS mitigation of DNS

Tessa Plum tessa at plum.ovh
Thu Apr 2 03:51:05 UTC 2020


Hello Paul

We were under some attack like UDP flood to the authority servers, there 
were a lot of UDP requests flooding to the servers. The traffic size was 
about 20Gbps last time as I have said in last message. The clients seem 
using spoofed IP addresses.

Thanks.
Tessa


Paul Vixie wrote:
> On Thursday, 2 April 2020 02:14:14 UTC Tessa Plum wrote:
>> Hello
>>
>> May I ask if there are any solutions for DDoS mitigation of DNS?
>> Both commercial or free solutions could be considered.
>>
>> Thanks.
>>
>> Tessa
>> https://plum.ovh/
> 
> to keep your own authority servers from amplifying spoofed-source attacks, you
> need response rate limiting, available in bind9, dnsdist, nsd, (any others?)
> 
> to keep your own recursive servers from amplifying spoofed-source attacks, you
> need ACL's that make it unreachable outside your specific client base.
> 
> to keep your own servers of whatever kind from being ddos'd into congestion
> loss, you need massive overprovisioning including both local and global
> anycast. you may also need something like akamai's "clean feed" filtering.
> 


More information about the dns-operations mailing list