North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS problems to RoadRunner - tcp vs udp
There is no call for insults on this list - Rather thought this list was about techincal discussions affecting all of us and keeping DNS alive for the majority of our customers certainly qualifies.
We/I am more than aware of the DNS mechanisms and WHY there are there trouble is NO DNS server can handle directed TCP attacks even the root servers crumbled under directed botnet activity and we have taken the decision to accept some collateral damage in order to keep services available. We are a well connected university network with multi-gigabit ingress and egress with 10G on Abilene so we try to protect the internet from attacks originating within our borders AND we really feel the full wrath of botnets as we do not have a relatively slow WAN link to buffer the effects.
Yes - we are blocking TCP too many problems with drone armies and we started about a year ago when our DNS servers became unresponsive for no apparent reason. Investigation showed TCP flows of hundreds of megabits/sec and connection table overflows from tens of thousands of bots all trying to simultaneously do zone transfers and failing tried active denial systems and shunning with limited effectiveness.
We are well aware of the host based mechanisms to control zone information, Trouble is with TCP if you can open the connection you can DoS so we don't allow the connection to be opened and this is enforced at the network level where we can drop at wire speed. Open to better ideas but if you look at the domain in my email address you will see we are a target for hostile activity just so someone can 'make their bones'.
Also recall we have a comittment to openess so we would like to make TCP services available but until we have effective DNS DoS mitigation which can work with 10Gb links It's not going to happen.
Jeroen Massar wrote:
Scott McGrath wrote: [..]For a long time there has been a effective practice of