North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: register.com down sev0?
On Oct 26, 2006, at 12:14 AM, [email protected] wrote: On 26 Oct 2006, Paul Vixie wrote:i wonder if that's due to the spam they've been sending out?Paul, this isn't nanae. Let's not sling accusations like that wildly. Accusations and objective facts are two separate things. there is no zone anywhere, including COM, the root zone, or any other,This isn't 2001, and, I will argue that it *is*, in fact, possible to be You are mistaken. However, We agree. Even assuming your numbers, which I do not grant, you are still mistaken.Well, let's talk about "worst-case ddos". Let's say, 50mpps (I have notGiven that register.com is/was public (I think?) - I wonder what are theirthat's an easy but catty criticism, and baseless. i'm sure that some There is no single "appropriately[sic] place" which can absorb 50Mpps. If you meant "appropriately placed" (as in topologically dispersed locations), a well crafted attack could still guarantee _at least_ a partial DoS from an end user PoV. It is essentially impossible to distinguish end-user requests from (im)properly created DoS packets (especially until BCP38 is widely adopted - i.e. probably never). Since there is no single place - no 13 places - which can withstand a well crafted DoS, you are guaranteed that some users will not be able to reach any of your listed authorities. This is not speculation, this is fact. All a good provider can do, even with 1000s of server, is minimize the impact of any DoS. Oh, and putting 2K servers into the "right" places is not a trivial expense, even for a large company. Last time I checked, 10GE pipes were not handed out for free. And you can't just rack these things in mom-and-pop colo saying "well, it has a GigE on the motherboard" when the colo has an OC3 to the 'Net. The Cap- and Op-Ex involved in doing what you suggest properly is large enough to probably be prohibitively expensive for a company like register.com. I know that the above was just rough back-of-the-envelope, and things areWe disagree. Keeping large name servers running is _absolutely_ a network operations topic. Not only is the defense mostly network based (since the network is the most likely thing to break), network operators are the people who get the phone calls when DNS does break. -- TTFN, patrick
|