[183325] in North American Network Operators' Group
Re: DDoS appliances reviews needed
daemon@ATHENA.MIT.EDU (Hugo Slabbert)
Thu Aug 27 11:24:17 2015
X-Original-To: nanog@nanog.org
Date: Thu, 27 Aug 2015 08:24:15 -0700
From: Hugo Slabbert <hugo@slabnet.com>
To: alvin nanog <nanogml@Mail.DDoS-Mitigator.net>
In-Reply-To: <20150827094831.GA21515@Mail.DDoS-Mitigator.net>
Cc: NANOG Mailing List <nanog@nanog.org>,
Ramy Hashish <ramy.ihashish@gmail.com>
Errors-To: nanog-bounces@nanog.org
--9Iq5ULCa7nGtWwZS
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu 2015-Aug-27 02:48:31 -0700, alvin nanog=20
<nanogml@Mail.DDoS-Mitigator.net> wrote:
--snip--
>defending against DNS is almost equally trivial ....
> - 53/udp is used for dns queries ...
=2E..except when it's not. TCP is an accepted transport for DNS queries an=
d=20
necessary for response sizes > 512 bytes where EDNS is not in use /=20
available.
> - 53/tcp is used for zone transfers between primary and secondary DNS=20
> servers
>
> thus, all incoming tcp packets to a DNS server are DDoS attacks
> except your own primary and secondary dns server ip#
As per above, that's not entirely accurate, though you're welcome to cause=
=20
some FPs by dropping legitimate DNS queries over TCP. Granted on our own=
=20
recursive resolvers the percentage of TCP queries is vanishingly small to=
=20
non-existent, but "all" is not correct.
> - we're all assuming your DNS server is closed for recursive queries
> to prevent DNS amplification attacks ...
=2E..for different degrees of "closed". I'm assuming $dayjob for at least=
=20
*some* of the folks on this list entails a service provider network of some=
=20
sort, where it'd be pretty likely there are some recursive resolvers=20
available to their customers. DNS amplification queries sourced from (or=
=20
spoofed as) within customer ranges and able to reach the resolvers are=20
still a vector.
--
Hugo
--9Iq5ULCa7nGtWwZS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJV3yueAAoJEJqxD/2xeDE+2E4P/3VtUC9FU1nwQ/Rzkur+1ZH3
ucjU0n4VDMB1P+9my/xX0Lm+MNbKTkJONo8TdQO1Rqg57JU3bJIzWqi5T3jO6RZc
Adx5wgrGnjoQquqVvkO7nrBZ/6hvaG1I9o0nozigMHjdaUiHkduvGdwy+8DUnAFc
F4rWGGyk15gQAHICDouni98sGtrpfbBOBJM1Th8DR8GYV+xVsYfLVIo8HFOS/gRi
GB8cCN8W++0lKhaa4X+gzId4g9PlO/6Xwk1tNsDKh8ZDz0VKUCPswlszHxAlAhrY
MFrBpeIYtYzXLOTy89D9xUQ4zeBgnpT0ubIscKkyv88k+RaTIlIpRq43iUfKl3EL
67/H5SRSk8jmhGHfKPXwDadlqOZDD+mynD4SbNN9rwxUSIryW94dDy/k+HIRyazw
wsCP3A69TutFrNJkl2ZXET0ENp0Tub4c2k9v8gj2Ljvpj/RdkRPxH09FcZZu30OE
CmofcQIlRm0y1jkojz2zfxdWYDG41R2nBQwKw6PzktXO8Nfw9uf3HYZMeM5S7IXc
b6KahGNF3gmS/vGFLswBFnRv2Qr2sQD6JRQhyHSA1CQBdLuS9Y9dcmeiVydcpigi
9pD8ni4ss08ZMeG06F0NuPH5j9LYdVB7viQVtMgMSdidN1Cc262sREEDMzsnA+WZ
nUZLMlTcfRxQ2+QZy+96
=+CMZ
-----END PGP SIGNATURE-----
--9Iq5ULCa7nGtWwZS--
