This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Next message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Henrik Lund Kramshøj
hlk at kramse.org
Wed Jun 29 08:55:22 CEST 2016
> On 28 Jun 2016, at 15:46, Carlos M. Martinez <carlosm3011 at gmail.com> wrote: > > I’m sure there are plenty of people that will disagree with me, but, IMO, you should never put stateful devices in front of a DNS server. It’s better to have plenty DNS servers on different networks and let them crash and burn if necessary. Just like you never put bananas in the refrigerator :-) The stateless part has already been responded to. The examples which are from Junos I believe work very well with regards to DDoS. I have used comparable filtering a lot in other cases. So by counting the number of packets matching and using the line rate stateless filtering, we can cleanup the traffic some before it reaches the servers, making them more likely to keep running. and when being attacked the harm is already done, service will be interrupted if we do nothing … so the talk about these boxes throwing away some traffic, bad middleboxes etc. These are not middleboxes, but part of the overall solution at the end-network - and as such they increase operational cost - but they bring more resilience and stability to the service. They even work using the existing hardware devices in many circumstances, making the cost less than buying “DDoS protection service box model 2000" YMMV, and you should always consider your own environment, adding DNSSEC comments are great etc. Some things SHOULD be discarded, others rate-limited and shameless link https://ripe72.ripe.net/wp-content/uploads/presentations/32-simulated-ddos-ripe.pdf which has similar advise > > A moderate volume DDoS will bring most stateful firewalls to their knees, even attacks that can be weathered nicely by a FreeBSD + bind box. > > I had a very nice conversation in CPH with a person from Russia and we were very much in agreement on this. Sadly I forgot his name and neither of us had any cards left. If you’re there, please get in touch! > > -Carlos > >> On Jun 28, 2016, at 10:16 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote: >> >> On Tue, Jun 28, 2016 at 12:41:51PM +0200, >> Ralf Weber <dns at fl1ger.de> wrote >> a message of 32 lines which said: >> >>> IMHO this is full of bad ideas and against protocol specs. While I >>> agree that at these day and age one must defend against attacks on >>> DNS systems, just blindly dropping on packet size or fragments is a >>> very bad idea. Forwarding to 8.8.8.8 also is >> >> I said more or less the same on the RIPE Labs site (comment not yet >> moderated). >> > > Mvh/Best regards Henrik — Henrik Lund Kramshøj, Follower of the Great Way of Unix internet samurai cand.scient CISSP hlk at kramse.org hlk at zencurity.dk +45 2026 6000 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: </ripe/mail/archives/dns-wg/attachments/20160629/57628839/attachment.sig>
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Next message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]