nanog mailing list archives

Re: DNS Attacks

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Wed, 18 Jan 2012 08:05:36 +0000


On Jan 18, 2012, at 2:45 AM, Leigh Porter wrote:

The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).



DNS servers (nor any other kind of server, for that matter) should never be placed behind stateful firewalls - the 
largest firewall one can build or buy will choke under even moderate DDoS attacks due to state-table exhaustion:

<https://files.me.com/roland.dobbins/679xji>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

Current thread:

DNS Attacks toor (Jan 17)
- Re: DNS Attacks Mark Andrews (Jan 17)
- Re: DNS Attacks Christopher Morrow (Jan 17)
- Re: DNS Attacks Leigh Porter (Jan 17)
  - Re: DNS Attacks Dobbins, Roland (Jan 18)
  - Re: DNS Attacks Joel jaeggli (Jan 18)
  - Re: DNS Attacks Ken A (Jan 19)
- Re: DNS Attacks virendra rode (Jan 18)
  - RE: DNS Attacks Drew Weaver (Jan 18)
- <Possible follow-ups>
- Re: DNS Attacks Dennis (Jan 18)
  - RE: DNS Attacks Leigh Porter (Jan 18)
    - Re: DNS Attacks Nick Hilliard (Jan 18)
    - Re: DNS Attacks Christopher Morrow (Jan 18)
    - Re: DNS Attacks Steven Bellovin (Jan 18)
    - Re: DNS Attacks Christopher Morrow (Jan 18)

(Thread continues...)