[dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Next message (by thread): [dns-wg] Root DNS incident on June 25
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ralf Weber
dns at fl1ger.de
Wed Jun 29 09:39:19 CEST 2016
Moin! On 29 Jun 2016, at 8:55, Henrik Lund Kramshøj wrote: > and when being attacked the harm is already done, service will be > interrupted if we do nothing … There is a difference on doing something as a response to attacks or having something hanging there that might treat you bad down the road. > so the talk about these boxes throwing away some traffic, bad > middleboxes etc. These are not middleboxes, but part of the overall > solution at the end-network - and as such they increase operational > cost - but they bring more resilience and stability to the service. > They even work using the existing hardware devices in many > circumstances, making the cost less than buying “DDoS protection > service box model 2000" > > YMMV, and you should always consider your own environment, adding > DNSSEC comments are great etc. Some things SHOULD be discarded, others > rate-limited I don't have problems with discarding, but again it should be done where the impact is understood and a router doesn't have that. Doing opaque dropping to the outbound of a resolver even while part of the solution can have weird effects and should be avoided. > and shameless link > https://ripe72.ripe.net/wp-content/uploads/presentations/32-simulated-ddos-ripe.pdf > which has similar advise Again that was during the attack and not permanent (Anand can correct me if I got it wrong). Also this was an authoritative server which has a different defence pattern that a resolver that was described in the article. So long -Ralf
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Next message (by thread): [dns-wg] Root DNS incident on June 25
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]