nanog mailing list archives
Re: DDoS appliances reviews needed
From: Hugo Slabbert <hugo () slabnet com>
Date: Thu, 27 Aug 2015 08:24:15 -0700
On Thu 2015-Aug-27 02:48:31 -0700, alvin nanog <nanogml () Mail DDoS-Mitigator net> wrote:
--snip--
defending against DNS is almost equally trivial .... - 53/udp is used for dns queries ...
...except when it's not. TCP is an accepted transport for DNS queries and necessary for response sizes > 512 bytes where EDNS is not in use / available.
- 53/tcp is used for zone transfers between primary and secondary DNS serversthus, all incoming tcp packets to a DNS server are DDoS attacks except your own primary and secondary dns server ip#
As per above, that's not entirely accurate, though you're welcome to cause some FPs by dropping legitimate DNS queries over TCP. Granted on our own recursive resolvers the percentage of TCP queries is vanishingly small to non-existent, but "all" is not correct.
- we're all assuming your DNS server is closed for recursive queries to prevent DNS amplification attacks ...
...for different degrees of "closed". I'm assuming $dayjob for at least *some* of the folks on this list entails a service provider network of some sort, where it'd be pretty likely there are some recursive resolvers available to their customers. DNS amplification queries sourced from (or spoofed as) within customer ranges and able to reach the resolvers are still a vector.
-- Hugo
Attachment:
signature.asc
Description: Digital signature
Current thread:
- DDoS appliances reviews needed Ramy Hashish (Aug 26)
- Re: DDoS appliances reviews needed Stephen Satchell (Aug 26)
- Re: DDoS appliances reviews needed Aftab Siddiqui (Aug 26)
- Re: DDoS appliances reviews needed Ramy Hashish (Aug 26)
- Re: DDoS appliances reviews needed alvin nanog (Aug 26)
- Re: DDoS appliances reviews needed Ramy Hashish (Aug 26)
- Re: DDoS appliances reviews needed alvin nanog (Aug 27)
- Re: DDoS appliances reviews needed Hugo Slabbert (Aug 27)
- RE: DDoS appliances reviews needed Steve Mikulasik (Aug 27)