[105221] in North American Network Operators' Group
Re: DNS problems to RoadRunner - tcp vs udp
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Sun Jun 15 15:12:06 2008
From: Roland Dobbins <rdobbins@cisco.com>
To: nanog@merit.edu
In-Reply-To: <200806151302.m5FD2ngA046141@aurora.sol.net>
Date: Mon, 16 Jun 2008 02:11:20 +0700
Errors-To: nanog-bounces@nanog.org
On Jun 15, 2008, at 8:02 PM, Joe Greco wrote:
> I think a real solution would be more sophisticated than this, but
> it's a starting point.
In addition to the BCPs already mentioned by Sean and Nathan, a good
detection/classification/traceback system plus S/RTBH can be helpful,
and there are commercial DDoS mitigation services/scrubbers available
from various SPs/vendors which have DNS-specific functionality, as
well. Blocking TCP/53 is definitely not an optimal solution, as many
have already pointed out.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // +66.83.266.6344 mobile
History is a great teacher, but it also lies with impunity.
-- John Robb
