[dns-operations] solutions for DDoS mitigation of DNS

Tony Finch dot at dotat.at
Thu Apr 2 12:28:24 UTC 2020


Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> Tony Finch <dot at dotat.at> wrote:
>
> > > ACLs in the server are not enough, you also need ingress filtering
> > > on the borders of your network, to prevent packets claiming to be
> > > from your network to get inside.
> >
> > That kind of ingress filtering protects you against DDoSing
> > yourself, which maybe the rest of the Internet isn't too bothered
> > about :-)
>
> I'm not sure I understand you.

If spoofed packets come into your network "from" one of your addresses
then any amplification inside your network will reflect back to your own
addresses. An attacker can hurt you harder with much less bandwidth usage
in the rest of the Internet.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Ardnamurchan Point to Cape Wrath: Northwesterly 5 to 7, occasionally gale 8 at
first, backing westerly 4 or 5 later, then becoming cyclonic 3 later in far
north. Very rough or high becoming rough or very rough, then moderate or rough
later. Squally wintry showers, perhaps thundery in north. Good, occasionally
poor.



More information about the dns-operations mailing list