> ] other cctld servers have seen what are effectively ddos. rob thomas > ] seems to have the most clue on this, so i hope this troll will entice > ] him to speak. > > Did someone say "troll?" :) > > Yes, this is a real problem. These attacks have exceeded several > gigabits per second in size, and during one attack 122K DNS name > servers were abused as amplifiers. Ouch! > > This abuse can be mitigated. Here are a few tips.
<there has -GOT- to be a better name for this> > Limit recursion to trusted netblocks and customers. Do not permit > your name servers to provide recursion for the world. If you do, > you will contribute to one of these attacks. <recursion is a fundamental DNS design feature, restricting it to "walled gardens" cripples its usefullness> > Watch for queries to your name servers that ask for "ANY" related > to a DNS RR outside of the zones for which you are authoritative. > This DNS RR will be LARGE. <a valid concern, w/ the following caveat: LARGE, relative to current traffic> > Limit UDP queries to 512 bytes. This greatly decreases the > amplification affect, though it doesn't stop it. <limiting UDP to 512 has other, unwanted effects, edns0 for one... crippling ENUM, DNSSEC, IPv6, etc... is this really what is wanted?> > Scan your IP space for name servers that permit recursive queries. > It's amazing just how many of these name servers exist. <yup... again, a feature that has made the DNS as useful as it has become> > > Refer to the following guides for some excellent insight and > suggestions. > > <http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf> > <http://cc.uoregon.edu/cnews/winter2006/recursive.htm> > <http://dns.measurement-factory.com/surveys/sum1.html> > > Note we have our own Secure BIND Template which will help on the > BIND side of life. > > <http://www.cymru.com/Documents/secure-bind-template.html> > > If you need assistance with any of this, have endured one of these > attacks, or have any other questions, please don't hesitate to ping > on us at [EMAIL PROTECTED] We're here to assist! > > Thanks! > Rob. > -- > Rob Thomas > Team Cymru > http://www.cymru.com/ > ASSERT(coffee != empty); ok, so i'm being a bit of a curmudgion here but just how, if we throttle DNS to the minimum suite for todays services, can we be expected to add new features/services? grump grump grump... -- (grumpy) bill