To:
claudio@telmon.org
Cc:
dnssec@cafax.se
From:
Havard Eidnes <he@uninett.no>
Date:
Wed, 04 Dec 2002 21:02:39 +0100 (CET)
In-Reply-To:
<3DEE31AB.9030207@telmon.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: links about dns and DDOS
> Hope this is a proper place to ask: It probably isn't, but I'll give you a few quick answers anyway: > could somebody please give me some links on discussions/studies/ > papers/whatever on how to protect the root nameservers from DDOS [...] Sorry, no pointers. However, a couple of things immediately spring to mind: o Secure the hosts at the edge of the network. Yes, this is a gigantic task, but getting rid of the massive armies of attack zombies is the only real way to solve the problem of DDoS attacks. o Get providers to implement ingress filtering as close as possible to the edge of the network, so that it becomes easier to trace the DDoS attack zombies. Yes, this is also a massive task, but nothing gets better if the providers collectively sit on their hands. This also only really helps if a significant fraction of the providers do this. o Replicate more instances of each of the 13 root name servers, and connect them at various different points in the topology, much in the same vein as the AS112 experiment. This will tend to spread out the effects of a DDoS attack (making it harder to attack effectively) and/or localize the effects of an attack. > [...] or on how to reduce the effect of DDOS on the dns in general? Use multiple slave name servers, connected at different points in the overall Internet topology. > Also, would this be a proper place to discuss this topic? As I said above, probably not. I guess a more appropriate place would be the dnsops working group mailing list of the IETF. Regards, - Håvard