relays.osirusoft.com
Matthew Sullivan
matthew at sorbs.net
Wed Aug 27 11:54:14 UTC 2003
Ok this time with the correct from address ;-)
Paul Vixie wrote:
>ok so this part does not mystify me...
>
>
>
>>Someone has been in contact with Joe via phone and posted
>>to another mailing list That Zhall Not Be Named that
>>exactly that is happening. The zone is dead, ...
>>
>>
>
>...because running blackhole lists is surprisingly more hard
>than most people think. (witness the sorbs.net message here
>a few hours ago complaining of 50Kpkt/day query loads.) i've
>paid some dues in this area, so i feel qualified to say that
>"i told you so" on this topic. but at least there's no mystery.
>
I'm not worried about the 50k queries a day, the previous mail was about
setting this a threshold as a 'ok you're saving some money/bandwidth by
using us, help us extend the service and protect against DDoS by paying
a nominal subscription'
I can handle around 6000 DNS queries per second here, but the DDoS hit
the servers with 300,000 packets per second of invalid DDoS crap that I
can't handle alone.
I have been talking to a lot of people about solutions and came up with
a 'distributed DNS blocklist' idea, this led to my post earlier as Joe
had issues with DDoS on the addresses he had listed in the root
nameservers - which I figure is the weakest link all round...
Someone has suggested 'anycasting' what do people (particually you Paul)
think of using anycasting for a DNSbl? (- AS112 anyone?) I think it may
work well... however I am a novice in terms of BGP... As far as I can
tell it involves getting a portable address block (somone suggested
anything less than a /24 would get filtered) and announcing it in
various locations around the Net with local servers behind each of those
announcements.... is this fundamentally correct?
Assuming I am right in my current understanding, I am about to start
looking at the proceedure to get an ASN and then I'll be looking for
some portable IP space if the consensus and thoughts are this will
work. I am thinking along the lines of talking with the other large
DNSbls (particually Easynet (wirehub) and DSBL) about setting up a set
of combined DNSbl servers all anycast'd. This after all will bring an
DDoS machines to the attention of the local networks they are attacking
.... ;-)
Thoughts, comments, flames...?
Thanks for all the offers of support and help, I will get back to
everyone in detail as soon as I get chance.
Yours
Mat
More information about the NANOG
mailing list