nanog mailing list archives
Re: DOS attack against DNS?
From: Paul Vixie <paul () vix com>
Date: Tue, 17 Jan 2006 19:21:03 +0000
# Last saturday one of our Web server experienced a TCP SYN attck which make # the system down for four hours. It seems there is not a good solution which # could detect & defend DoS traffic at any time. by definition, there will never be a single defense against all attacks. # So, to the class ANY queries, should we only filtering out class any queries # on public cache servers ? if you're seeing them and they're hurting you, yes. or if you're willing to undure the configuration pain of always dropping them (see marka's recent mail on "view" statements for this purpose), then yes. # To my understandings, the amplifying result could also be reached by query # type any. that's not my understanding. you're more likely to be hurt by a peer's lack of BCP38 conformance than by all the type=ANY queries you'll ever hear in DNS.
Current thread:
- Re: DOS attack against DNS?, (continued)
- Re: DOS attack against DNS? Daniel Senie (Jan 16)
- Re: DOS attack against DNS? Mark Andrews (Jan 16)
- Re: DOS attack against DNS? Paul Vixie (Jan 15)
- Re: DOS attack against DNS? bmanning (Jan 15)
- Re: DOS attack against DNS? Paul Vixie (Jan 15)
- Re: DOS attack against DNS? Mark Andrews (Jan 15)
- Re: DOS attack against DNS? bmanning (Jan 15)
- Re: DOS attack against DNS? Alon Tirosh (Jan 16)
- Re: DOS attack against DNS? william(at)elan.net (Jan 16)
- Re: DOS attack against DNS? Alon Tirosh (Jan 16)
- Re: DOS attack against DNS? Joe Shen (Jan 17)
- Re: DOS attack against DNS? Paul Vixie (Jan 17)
- Re: DOS attack against DNS? Paul Vixie (Jan 17)