[c-nsp] rate limit dns
Eugeniu Patrascu
eugen at imacandi.net
Thu Jan 2 04:22:50 EST 2014
On Wed, Jan 1, 2014 at 12:26 AM, Mack McBride <mack.mcbride at viawest.com>wrote:
> 'Other mechanisms' is a beautiful catch phrase for hire a DDoS mitigation
> vendor.
>
> Many reflection attacks do use authoritative servers because of the amount
> of throughput
> those servers have. Most are quite capable of a full gig of traffic. I
> know ours certainly are.
> SPF records (ie. TXT) are a favorite target since they can be fairly large.
> And with signed records it is even worse.
>
FWIW, if you run your customers recursive resolvers on a Linux/*BSD box you
can setup iptables/pf in such a way that you only allow queries from
customers and from your resolver to the internet in a stateful way and deny
unrelated incoming "responses" and still have the same performance levels.
More information about the cisco-nsp
mailing list