[c-nsp] DNS rewrite & global capabilities
Roland Dobbins
rdobbins at arbor.net
Mon Jun 29 10:17:28 EDT 2009
On Jun 29, 2009, at 8:33 PM, Jonathan Brashear wrote:
> t seems like the ability to rewrite DNS against certain DDoS attacks
Marketing claims aside, firewalls have no utility whatsoever in terms
of defending against DDoS attacks, and actually tend to make the
situation worse and the server behind them *more* vulnerable to DDoS,
and not less, due to the limitations of the stateful capacity they
embody.
You'd be far better off using S/RTBH as a reaction tool, and depending
upon your application and its importance/scale, may wish to
investigate other tools intended to protect firewalls and the things
behind them from DDoS (full disclosure; I work for a company which
makes such tools).
But even more than that, putting your public-facing DNS (or any other
kind of server) behind a firewall is a very serious architectural
mistake; firewalls in front of public-facing servers provide no
security value whatsoever, and degrade the overall security posture
due to the issues denoted above. Far, far better to bring your public-
facing DNS servers out from behind the firewall, employ all the
various host- and application-/service-specific BCPs, ensure your DNS
architecture is properly designed and scaled, and make use of S/RTBH,
et. al. to deal with DDoS.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Unfortunately, inefficiency scales really well.
-- Kevin Lawton
More information about the cisco-nsp
mailing list