Home page logo

nanog logo nanog mailing list archives

Re: DOS attack against DNS?
From: Paul Vixie <paul () vix com>
Date: Tue, 17 Jan 2006 19:21:03 +0000

# Last saturday one of our Web server experienced a TCP SYN attck which make
# the system down for four hours.  It seems there is not a good solution which
# could detect & defend DoS traffic at any time.

by definition, there will never be a single defense against all attacks.

# So, to the class ANY queries, should we only filtering out class any queries
# on public cache servers ?

if you're seeing them and they're hurting you, yes.  or if you're willing to
undure the configuration pain of always dropping them (see marka's recent mail
on "view" statements for this purpose), then yes.

# To my understandings, the amplifying result could also be reached by query
# type any.

that's not my understanding.  you're more likely to be hurt by a peer's lack
of BCP38 conformance than by all the type=ANY queries you'll ever hear in DNS.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]