North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: register.com down sev0?
On Thu, 26 Oct 2006, Patrick W. Gilmore wrote: > There is no single "appropriately[sic] place" which can absorb 50Mpps. > If you meant "appropriately placed" (as in topologically dispersed > locations), a well crafted attack could still guarantee _at least_ a > partial DoS from an end user PoV. > > It is essentially impossible to distinguish end-user requests from > (im)properly created DoS packets (especially until BCP38 is widely > adopted - i.e. probably never). Since there is no single place - no 13 > places - which can withstand a well crafted DoS, you are guaranteed that > some users will not be able to reach any of your listed authorities. Yeah - I know it hard-to-impossible to do that, and it is a tug-of-war between worm writers (to generate queries indistinguishable from real client-resolver-generated queries) and trying-to-detect-malformed-queries (such as duplicated qid, or from IP space that shouldn't be hitting this specific node). You probably dealt with more ddos than rest of us combined, so I bow to your superior knowledge. >> I know that the above was just rough back-of-the-envelope, and things >> are far more complicated than that, but this discussion does not really >> belong to nanog-l. > We disagree. Keeping large name servers running is _absolutely_ a > network operations topic. Not only is the defense mostly network based > (since the network is the most likely thing to break), network operators > are the people who get the phone calls when DNS does break. Sorry - I meant that discussion whether or not register.com is spamming isn't somewhat offtopic. Of course, DNS operations (and particularly dealing with "biblical scale" ddos) is very much on-topic. -alex
|