On 10/31/16 12:41, MURTARI, JOHN wrote: > God only knows, the DDOS hackers are probably on this list....but I > have to ask what protections DYN had in place before the attack > occurred. RRL has been promoted as some protection against these > types of attacks. If they had it in place, did it help or was the > pure volume of traffic the real issue?
Having been burned by the DDoS I can tell you that 'RRL' functionality was pretty much irrelevant in this case. This was not using DNS servers as traffic amplifiers (which is what RRL mitigates against). This was using millions of insecure IoT devices -- frequently web cams -- to generate a massive overkill-level traffic surge -- lots of DNS lookups -- that simply overwhelmed Dyn's servers. This despite the fact that Dyn has a global anycast network with plenty of bandwidth, points of presence all round the world and each POP contains a bunch of top-of-the-line servers. Surviving DDoS is all about having more capacity available than your attackers can fill up[*]. These Mirai botnets have upped the ante by a wide margin. I suspect that the DDoS protection companies, the big DNS service providers, the TLD and the root operators are quietly but franticly working on plans to beef up their defenses... Cheers, Matthew [*] Even by proxy: anti-DDoS companies essentially have network capacity available for hire as well as some pretty fancy traffic filtering techniques.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users