Re: DDoS appliances reviews needed

[Hugo Slabbert <hugo () slabnet com>]

On Thu 2015-Aug-27 02:48:31 -0700, alvin nanog 
<nanogml () Mail DDoS-Mitigator net> wrote:

--snip--

> defending against DNS is almost equally trivial ....
>         - 53/udp is used for dns queries ...

...except when it's not.  TCP is an accepted transport for DNS queries and 
necessary for response sizes > 512 bytes where EDNS is not in use / 
available.

> 	- 53/tcp is used for zone transfers between primary and secondary DNS 
> 	servers
>
>         thus, all incoming  tcp packets to a DNS server are DDoS attacks
>         except your own primary and secondary dns server ip#

As per above, that's not entirely accurate, though you're welcome to cause 
some FPs by dropping legitimate DNS queries over TCP.  Granted on our own 
recursive resolvers the percentage of TCP queries is vanishingly small to 
non-existent, but "all" is not correct.

>         - we're all assuming your DNS server is closed for recursive queries
>         to prevent DNS amplification attacks ...

...for different degrees of "closed".  I'm assuming $dayjob for at least 
*some* of the folks on this list entails a service provider network of some 
sort, where it'd be pretty likely there are some recursive resolvers 
available to their customers.  DNS amplification queries sourced from (or 
spoofed as) within customer ranges and able to reach the resolvers are 
still a vector.

--
Hugo

Attachment: signature.asc
Description: Digital signature