[c-nsp] rate limit dns
Eugeniu Patrascu
eugen at imacandi.net
Fri Jan 3 04:15:26 EST 2014
On Fri, Jan 3, 2014 at 4:30 AM, Dobbins, Roland <rdobbins at arbor.net> wrote:
>
> On Jan 3, 2014, at 12:32 AM, Eugeniu Patrascu <eugen at imacandi.net> wrote:
>
> > With modern machines (from a few years back) you can track a lot of
> connections effortlessly.
>
> I think you don't understand the scale of even small DDoS attacks in terms
> of state-tracking.
>
> Stateful devices put in front of servers which are then DDoSed go down,
> taking down everything behind those stateful devices. I've seen 3mb/sec of
> spoofed SYN-flood take down a 20gb/sec stateful firewall; I've seen 10kpps
> of HOIC take down a 10gb/sec load-balancer.
>
> This isn't theoretical or speculative.
>
Maybe I should try this again: what I said was that on the recursive
resolvers dedicated for your clients you can add an extra layer of
protection in terms of dropping fake responses targeted at those servers by
the means of a local firewall setup on each box, not on a gateway like box.
My reasoning is that the kernel would be better at dropping unwanted
packets faster than the userspace DNS daemon can discard them. And with
very small timers enabled this should be feasible.
What I'm arguing against is the idea of rate limiting a service just
because it might be attacked and have your customers play the lottery with
their queries and try again if their packets are lost due to rate limiting.
More information about the cisco-nsp
mailing list