nanog mailing list archives


From: Matthew Sullivan <matthew () sorbs net>
Date: Wed, 27 Aug 2003 21:54:14 +1000

Ok this time with the correct from address ;-)

Paul Vixie wrote:

ok so this part does not mystify me...

Someone has been in contact with Joe via phone and posted
to another mailing list That Zhall Not Be Named that
exactly that is happening.  The zone is dead, ...

...because running blackhole lists is surprisingly more hard
than most people think.  (witness the message here
a few hours ago complaining of 50Kpkt/day query loads.)  i've
paid some dues in this area, so i feel qualified to say that
"i told you so" on this topic.  but at least there's no mystery.

I'm not worried about the 50k queries a day, the previous mail was about
setting this a threshold as a 'ok you're saving some money/bandwidth by
using us, help us extend the service and protect against DDoS by paying
a nominal subscription'

I can handle around 6000 DNS queries per second here, but the DDoS hit
the servers with 300,000 packets per second of invalid DDoS crap that I
can't handle alone.

I have been talking to a lot of people about solutions and came up with
a 'distributed DNS blocklist' idea, this led to my post earlier as Joe
had issues with DDoS on the addresses he had listed in the root
nameservers - which I figure is the weakest link all round...

Someone has suggested 'anycasting' what do people (particually you Paul)
think of using anycasting for a DNSbl? (- AS112 anyone?)  I think it may
work well... however I am a novice in terms of BGP...  As far as I can
tell it involves getting a portable address block (somone suggested
anything less than a /24 would get filtered) and announcing it in
various locations around the Net with local servers behind each of those
announcements.... is this fundamentally correct?

Assuming I am right in my current understanding, I am about to start
looking at the proceedure to get an ASN and then I'll be looking for
some portable IP space if the consensus and thoughts are this will
work.  I am thinking along the lines of talking with the other large
DNSbls (particually Easynet (wirehub) and DSBL) about setting up a set
of combined DNSbl servers all anycast'd.  This after all will bring an
DDoS machines to the attention of the local networks they are attacking
.... ;-)

Thoughts, comments, flames...?

Thanks for all the offers of support and help, I will get back to
everyone in detail as soon as I get chance.



Current thread: