[AusNOG] Attacks against DNS servers...

Dobbins, Roland rdobbins at arbor.net
Tue Sep 11 11:54:33 EST 2012


On Sep 11, 2012, at 8:45 AM, Mark Tees wrote:

> Thoughts out there?

You should have a scalable, bulkheaded, functionally separated DNS architecture which clearly separates recursive DNS from authoritative DNS.

You can use flow telemetry to look for high-qps sources and then block them via S/RTBH or flowspec.

If you're using BIND, you can deploy the per-source rate-limiting patch - but note that it won't stop the queries from reaching your server(s), it just somewhat reduces the impact of heavy-hitters.

You can examine logs (if you can afford to run them) or use other types of packet-sampling mechanisms to determine which records/domains are being affected, and, depending upon your filtering capabilities, filter accordingly.

There are also commercial solutions available from various vendors which can be utilized to defend DNS servers against DDoS attacks.

[Full disclosure:  I am employed by a vendor of such solutions.]

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the AusNOG mailing list