In message <blu149-w13ef74e1e2eba2fe9dd3f385...@phx.gbl>, MontyRee writes: > > Hello, all. > > I have operated some dns servers and I'm curious what should I do if > ddos attck to my dns servers. > > So do you know how to defense against dns dddos attack like root server? > > Surely, various ddos attack may be occurred. > > My idea is.. > > -. filtering 53/udp traffic that the byte is over 512 byte > -. rate-limit against 53/udp queries > (but useless if the attack spoof the source ip) > -. deny recursion > -. anycast? > > Is ther any comments or proposal?
How you defend against a DoS attack depends on the actual attack and what services you are attempting to provide and to whom. You want to minimise collateral damage and some of the methods above are likely to introduce collateral damage. > Thanks in advance. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users