[dns-operations] solutions for DDoS mitigation of DNS

[Mark Andrews]

> On 3 Apr 2020, at 00:09, Tessa Plum <tessa at plum.ovh> wrote:
> 
> On 2020/4/2 7:28 下午, Stephane Bortzmeyer wrote:
>> BCP38 is Good,*but*  it protects others against you. So, to be
>> protected, you need the*others*  to implement it.
> 
> Ah OK.
> So BCP38 is useless for my case. Others don't care if I am meeting the attack or not.
> 
> regards.

No, it is not useless.  It requires you to talk to your upstream providers and have them traceback the attacks to their source.  Repeat with their upstreams.  The sources can be cut off which can just be turn on BCP38 filtering on a link that is emitting spoofed traffic.  They can do that.  Every network that turns on BCP38 filtering is one more you don’t have to worry about in the future sending you spoofed traffic.

None of this saying don’t do the other measures.

Spoofed traffic has been a long term problem.  It does require getting people to spend time reconfiguring boxes.  That has a cost but it is a lot smaller cost globally than carrying the spoofed traffic past the earliest point where it can be blocked and defending against the spoofed traffic.  Unfortunately many ISPs don’t see that it is in their enlightened self interest to deploy BCP38 filters.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org