[73247] in North American Network Operators' Group
Re: Summary with further Question: Domain Name System protection
daemon@ATHENA.MIT.EDU (sthaug@nethelp.no)
Tue Aug 17 09:47:17 2004
To: joe_hznm@yahoo.com.sg
Cc: nanog@merit.edu
In-Reply-To: Your message of "Tue, 17 Aug 2004 19:54:16 +0800 (CST)"
From: sthaug@nethelp.no
Date: Tue, 17 Aug 2004 15:46:11 +0200
Errors-To: owner-nanog-outgoing@merit.edu
> What I'm not sure about ACL on router is, how to
> survive DNS server under DoS/DDos attack. We suffered
> from DoS attack last year, and we found the source IPs
> of that attack locate in our customers IP address
> blocks. ACL on router could only filter those traffic
> not meaningful to DNS server, but how about those DDoS
> attacking packets?
Your router can presumably rate limit the traffic towards the name
server to a level the name server can handle. On the name server
you can perform further rate limiting on an IP address basis, with
for instance FreeBSD ipfw.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
