[dns-operations] solutions for DDoS mitigation of DNS

Mark Andrews marka at isc.org
Thu Apr 2 04:25:18 UTC 2020

You use all the mechanisms available to you.

Traceback.  Getting BCP38 installed at the sites emitting spoofed traffic help yourself and everyone else.  In many cases this is coming from compromised machines.

You enable/tune response rate filtering.

You use DNS COOKIES and encourage your clients to use DNS COOKIES.  This helps sort the wheat from the chaff.

You talk to you local politicians about mandating BCP38 deployment in your country.  BCP 38 is 20 years old next month so there is unless one is actually operating 20 year equipment there is no excuse for not having deployed BCP38 in you network.  This needs to see directors of ISPs sitting in gaol for not deploying BCP 38.


> On 2 Apr 2020, at 14:51, Tessa Plum <tessa at plum.ovh> wrote:
> Hello Paul
> We were under some attack like UDP flood to the authority servers, there were a lot of UDP requests flooding to the servers. The traffic size was about 20Gbps last time as I have said in last message. The clients seem using spoofed IP addresses.
> Thanks.
> Tessa
> Paul Vixie wrote:
>> On Thursday, 2 April 2020 02:14:14 UTC Tessa Plum wrote:
>>> Hello
>>> May I ask if there are any solutions for DDoS mitigation of DNS?
>>> Both commercial or free solutions could be considered.
>>> Thanks.
>>> Tessa
>>> https://plum.ovh/
>> to keep your own authority servers from amplifying spoofed-source attacks, you
>> need response rate limiting, available in bind9, dnsdist, nsd, (any others?)
>> to keep your own recursive servers from amplifying spoofed-source attacks, you
>> need ACL's that make it unreachable outside your specific client base.
>> to keep your own servers of whatever kind from being ddos'd into congestion
>> loss, you need massive overprovisioning including both local and global
>> anycast. you may also need something like akamai's "clean feed" filtering.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list