[c-nsp] rate limit dns

Mack McBride mack.mcbride at viawest.com
Tue Dec 31 16:13:25 EST 2013 

Recursive servers have to be able to receive responses from anywhere on the internet.
There is no way to configure that so it can't be flooded off of the internet.

Nor can RTBH stop a true DDoS.  That is the 'distributed' part that is the first D.
Nor will it stop a reflection attack, which is even more damaging because then you are
blocking important authoritative DNS servers.

Using teirs of recursive resolvers doesn't help.  Using distributed resolvers might depending on the
nature of the attack.

As an ISP operator, I can tell you that your solution will only work for someone whose customers
can't leave for another provider.

Mack McBride | Network Architect | ViaWest, Inc.
O: 720.891.2502 | mack.mcbride at viawest.com | www.viawest.com | LinkedIn | Twitter | YouTube



-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dobbins, Roland
Sent: Monday, December 30, 2013 7:13 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] rate limit dns


On Dec 31, 2013, at 1:27 AM, Mack McBride <mack.mcbride at viawest.com> wrote:

> Phishing has little to do with DNS per se.

Some does, actually.

> BUT, forcing customers to use your DNS results in the possibility of all of your customers suffering in a DDoS situation where your DNS servers are targeted.

If your first-line recursive DNS servers are configured correctly, then they can't be DDoSed directly from outside your network, and it's easy enough to squelch attacks originating from within your network via S/RTBH or other mitigation mechanisms.  There are mitigation mechanisms to protect the upper tier of external resolvers which feed the first-tier resolvers, as well.

What part of allowing Google DNS and OpenDNS by default wasn't clear?

Also, note that policies can be altered, if circumstances warrant.  But any network operator which doesn't have the capability defend its own recursive DNS servers from DDoS attacks should take steps to implement S/RTBH, et. al.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list