This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Next message (by thread): [dns-wg] Root DNS incident on June 25
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ralf Weber
dns at fl1ger.de
Wed Jun 29 09:39:19 CEST 2016
Moin! On 29 Jun 2016, at 8:55, Henrik Lund Kramshøj wrote: > and when being attacked the harm is already done, service will be > interrupted if we do nothing … There is a difference on doing something as a response to attacks or having something hanging there that might treat you bad down the road. > so the talk about these boxes throwing away some traffic, bad > middleboxes etc. These are not middleboxes, but part of the overall > solution at the end-network - and as such they increase operational > cost - but they bring more resilience and stability to the service. > They even work using the existing hardware devices in many > circumstances, making the cost less than buying “DDoS protection > service box model 2000" > > YMMV, and you should always consider your own environment, adding > DNSSEC comments are great etc. Some things SHOULD be discarded, others > rate-limited I don't have problems with discarding, but again it should be done where the impact is understood and a router doesn't have that. Doing opaque dropping to the outbound of a resolver even while part of the solution can have weird effects and should be avoided. > and shameless link > https://ripe72.ripe.net/wp-content/uploads/presentations/32-simulated-ddos-ripe.pdf > which has similar advise Again that was during the attack and not permanent (Anand can correct me if I got it wrong). Also this was an authoritative server which has a different defence pattern that a resolver that was described in the article. So long -Ralf
- Previous message (by thread): [dns-wg] New on RIPE Labs: Securing Network Infrastructure for DNS Servers
- Next message (by thread): [dns-wg] Root DNS incident on June 25
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]