Re: Summary with further Question: Domain Name System protection

[Joe Shen <joe_hznm () yahoo com sg>]

Hi,

> > in situation of DoS attack or situation of high
> > session rate;
>
> Routers with hardware based access lists. No
> problem.


What I'm not sure about ACL on router is, how to
survive DNS server under DoS/DDos attack. We suffered
from DoS attack last year, and we found the source IPs
of that attack locate in our customers IP address
blocks. ACL on router could only filter those traffic
not meaningful to DNS server, but how about those DDoS
attacking packets? 

> We currently have the Nominum CNS on trial here, and
> we are very 
> impressed. It performs much better than BIND 8/9 -
> our measurements
> show even greater differences than Brad Knowles'
> tests. Example: One
> server running BIND 9 shows more than 30% CPU usage
> during peak hours,
> but only 2-3% with Nominum CNS. We also have the
> issue that BIND 9
> seems to start *failing* when it reaches a certain
> cache size (as in:
> Some queries are either not answered at all, or they
> are answered
> with SERVFAIL).

Impressive! What's the peak value of concurrent DNS
requests in your trial? 

Thanks.

Joe 
  

__________________________________________________
Do You Yahoo!?
Download the latest ringtones, games, and more!
http://sg.mobile.yahoo.com