[dns-operations] solutions for DDoS mitigation of DNS

Tessa Plum tessa at plum.ovh
Thu Apr 2 07:06:17 UTC 2020

On 2020/4/2 12:25 下午, Mark Andrews wrote:
> You use all the mechanisms available to you.
> Traceback.  Getting BCP38 installed at the sites emitting spoofed traffic help yourself and everyone else.  In many cases this is coming from compromised machines.
> You enable/tune response rate filtering.
> You use DNS COOKIES and encourage your clients to use DNS COOKIES.  This helps sort the wheat from the chaff.
> You talk to you local politicians about mandating BCP38 deployment in your country.  BCP 38 is 20 years old next month so there is unless one is actually operating 20 year equipment there is no excuse for not having deployed BCP38 in you network.  This needs to see directors of ISPs sitting in gaol for not deploying BCP 38.

Thanks. I never knew BCP38 before. I will try to study it.


More information about the dns-operations mailing list