Adding more servers and going to 10G NICs seems relatively inexpensive
and that should be helpful for "casual" attacks where you're being used
as a reflector. In those attacks, no one's out to attack you: they just
want you to attack someone else, and don't mind eating all your
bandwidth/CPU/whatever in order to do that.
Adding more bandwidth without enabling RRL or putting some sort of
filtering in place will make your facilities more attractive to
attackers, though. I'd expect that attackers are passing around lists
of particularly good sites for reflector attacks, and the fewer controls
you have, and the more bandwidth you have, the more attractive you are
for use in an attack -- and therefore the more likely you are to have
your resources saturated.
I think RRL should be safe to run all the time. You wouldn't want to
scramble to enable it during an attack.
I don't know if there are commercial devices I would trust to be helpful
in these situations, but when I was doing DNS DDoS work, nothing
commercial was going to scale enough, so I didn't consider them much. :-)
The hard thing about these attacks is that there's always some time when
local resources aren't enough: when you upgrade to 50Gbit/sec of
capacity and the next attack is 60Gbit/sec of traffic. I'd expect some
correlation between "really high bandwidth attacks" and "attacks that
are meant to hurt you instead of just use you as a reflector" but that
correlation won't be perfect. It's unfortunate that in the DNS attack
world, for a lot of attacks, all you can do is have massively more
capacity than you need on a daily basis.
The advantage to moving DNS into a cloud provider is that they have the
resources to massively, crazily overprovision, to the point where it
would be hard even for a nation-state to mount a big enough attack to
take them down. I'm most familiar with Cloudflare (I have never worked
there, for the record) but certainly there are other companies worth
looking at. However, if you still have your nameservers in the public
set of NS records for your domains, you'll still be vulnerable. Some of
these providers can probably load your zones using you as a shadow
master: they just do a zone transfer from your DNS infrastructure, then
serve all the queries from their own systems.
That's my perspective. Hopefully it's not too out of date.
-Steve
On 4/3/2020 4:18 AM, Tessa Plum wrote:
Hi Steve
I am so appreciate to get your kind private message, though I would
like to reply my content to the list.
We are running authoritative name servers only, zone data are for the
university only.
When the attack happened, the bandwidth watched in our gateway was
about 20Gbps. That made name servers totally no response. Each name
server has only 1Gbps interface to internet, so it dies.
We were considering the actions:
1. increase bandwidth to both inbound gateway and vlan for nameservers.
2. upgrade the network interface of nameserver to 10Gbps.
3. run multiple servers as cluster.
4. try to get a commercial device to analyst and stop such kind of
attack.
5. enable RRL when attack happens.
6. I will try to suggest administrator to run secondary nameservers on
professional hosting, such as cloudflare, Akamai, AWS route 53 etc.
(also easyDNS, DNSimple, DNSMadeEasy, NS1 can be considered?)
How do you think of them?
Thank you.
regards
Tessa
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
