Hello Paul
We were under some attack like UDP flood to the authority servers, there
were a lot of UDP requests flooding to the servers. The traffic size was
about 20Gbps last time as I have said in last message. The clients seem
using spoofed IP addresses.
Thanks.
Tessa
Paul Vixie wrote:
On Thursday, 2 April 2020 02:14:14 UTC Tessa Plum wrote:
Hello
May I ask if there are any solutions for DDoS mitigation of DNS?
Both commercial or free solutions could be considered.
Thanks.
Tessa
https://plum.ovh/
to keep your own authority servers from amplifying spoofed-source attacks, you
need response rate limiting, available in bind9, dnsdist, nsd, (any others?)
to keep your own recursive servers from amplifying spoofed-source attacks, you
need ACL's that make it unreachable outside your specific client base.
to keep your own servers of whatever kind from being ddos'd into congestion
loss, you need massive overprovisioning including both local and global
anycast. you may also need something like akamai's "clean feed" filtering.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
