Re: register.com down sev0?

[alex () pilosoft com]

On Thu, 26 Oct 2006, Patrick W. Gilmore wrote:

> There is no single "appropriately[sic] place" which can absorb 50Mpps.  
> If you meant "appropriately placed" (as in topologically dispersed
> locations), a well crafted attack could still guarantee _at least_ a
> partial DoS from an end user PoV.
>
> It is essentially impossible to distinguish end-user requests from
> (im)properly created DoS packets (especially until BCP38 is widely
> adopted - i.e. probably never).  Since there is no single place - no 13
> places - which can withstand a well crafted DoS, you are guaranteed that
> some users will not be able to reach any of your listed authorities.
Yeah - I know it hard-to-impossible to do that, and it is a tug-of-war
between worm writers (to generate queries indistinguishable from real
client-resolver-generated queries) and trying-to-detect-malformed-queries
(such as duplicated qid, or from IP space that shouldn't be hitting this
specific node). You probably dealt with more ddos than rest of us
combined, so I bow to your superior knowledge.

> > I know that the above was just rough back-of-the-envelope, and things
> > are far more complicated than that, but this discussion does not really
> > belong to nanog-l.
> We disagree.  Keeping large name servers running is _absolutely_ a
> network operations topic.  Not only is the defense mostly network based
> (since the network is the most likely thing to break), network operators
> are the people who get the phone calls when DNS does break.
Sorry - I meant that discussion whether or not register.com is spamming
isn't somewhat offtopic. Of course, DNS operations (and particularly
dealing with "biblical scale" ddos) is very much on-topic. 

-alex