[dns-wg] RIPE NCC Authoritative and Secondary DNS services on Monday 14 December

Thanks for the information Romeo I wonder if perhaps you would consider doing a presentation at the next WG meeting on the issues you encountered and mitigation techniques you used.

Thanks

Brett

--
Brett Carr
Senior DNS Engineer
Nominet UK

> On 15 Dec 2015, at 12:35, Romeo Zwart <romeo.zwart at ripe.net> wrote:
> 
> Dear colleagues,
> 
> Yesterday, Monday 14 December 2015, RIPE NCC Authoritative DNS services
> were functioning in a severely degraded state during parts of the day.
> 
> This was due to an attack on one of the ccTLDs for which the NCC hosts a
> secondary DNS service. The attack traffic started around 08:00 UTC. RIPE
> NCC staff applied various countermeasures during the day. These
> mitigations were effective for some time. However, after implementing
> each of these mitigations, the traffic patterns were modified to evade
> them. Towards the end of the day, the volume of the attack traffic
> targeted at our servers had increased to such a level that it was
> overloading our incoming links and our mitigation measures were no
> longer sufficiently effective.
> 
> At that time we were forced to contact our upstream peers to assist us
> with mitigation measures. Apart from the ccTLD service for the attacked
> domain, normal services were restored at around 18:30 UTC.
> 
> The attack is ongoing, and we continue with mitigation measures in order
> to provide the best service possible under the circumstances.
> 
> We note that attacks like this rely on spoofing source addresses in the
> attack packets. Therefore, Source Address Validation and BCP-38 should
> be used wherever possible to reduce the ability to abuse networks to
> transmit spoofed source packets.
> 
> Kind regards,
> Romeo Zwart
>