North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Ok this time with the correct from address ;-) Paul Vixie wrote:
ok so this part does not mystify me...
I'm not worried about the 50k queries a day, the previous mail was about setting this a threshold as a 'ok you're saving some money/bandwidth by using us, help us extend the service and protect against DDoS by paying a nominal subscription' I can handle around 6000 DNS queries per second here, but the DDoS hit the servers with 300,000 packets per second of invalid DDoS crap that I can't handle alone. I have been talking to a lot of people about solutions and came up with a 'distributed DNS blocklist' idea, this led to my post earlier as Joe had issues with DDoS on the addresses he had listed in the root nameservers - which I figure is the weakest link all round... Someone has suggested 'anycasting' what do people (particually you Paul) think of using anycasting for a DNSbl? (- AS112 anyone?) I think it may work well... however I am a novice in terms of BGP... As far as I can tell it involves getting a portable address block (somone suggested anything less than a /24 would get filtered) and announcing it in various locations around the Net with local servers behind each of those announcements.... is this fundamentally correct? Assuming I am right in my current understanding, I am about to start looking at the proceedure to get an ASN and then I'll be looking for some portable IP space if the consensus and thoughts are this will work. I am thinking along the lines of talking with the other large DNSbls (particually Easynet (wirehub) and DSBL) about setting up a set of combined DNSbl servers all anycast'd. This after all will bring an DDoS machines to the attention of the local networks they are attacking .... ;-) Thoughts, comments, flames...? Thanks for all the offers of support and help, I will get back to everyone in detail as soon as I get chance. Yours Mat