down sev0?

alex at alex at
Thu Oct 26 04:14:43 UTC 2006

On 26 Oct 2006, Paul Vixie wrote:

> > > > I'm seeing * down (including ns*) from everywhere.
> > > They are apparently under a multi-gbps ddos of "biblical
> > > proportions".
> i wonder if that's due to the spam they've been sending out?
Paul, this isn't nanae. Let's not sling accusations like that wildly. 

> > As pointed out by Rob Seastrom in private email, RFC2182 addresses things
> > of biblical proportions -
> no.  really, not.
> >                           such as dispersion of nameservers
> > geographically and topologically. Having 3 secondaries, only one of
> > them on separate /24, and none of them on topologically different
> > network does not qualify.
> there is no zone anywhere, including COM, the root zone, or any other,
> that is immune from worst-case DDoS.  anycast all you want.  diversify.  
> build a name service infrastructure larger than the earth's moon.  none
> of that will matter as long as OPNs (the scourge of internet robustness)
> still exist.
This isn't 2001, and, I will argue that it *is*, in fact, possible to be
protected from a "worst case" ddos, and not at obscene price. However,
even if you argue that point, there's no excuse for not being prepared at
all, and not following the BCP. While we all may be guilty of not having
topologically/geographically diverse DNS - for someone whose core business
is DNS, that's unexcusable.

> > Given that is/was public (I think?) - I wonder what are their 
> > sarbox auditors saying about it now ;)
> that's an easy but catty criticism, and baseless.  i'm sure that some
> way could be found to improve's infrastructure, and i don't
> just mean by stopping the spamming they've been doing.  but it's not
> trivial and in the face of well-tuned worst-case DDoS, nothing will
> help.
Well, let's talk about "worst-case ddos". Let's say, 50mpps (I have not
heard of ddos larger that that number). Let's say, you can sink/filter
100kpps on each box (not unreasonable on higher-end box with nsd). That
means, you should be able to filter this attack with ~500 servers,
appropriately place. Say, because you don't know where the attack will
come in, you need 4 times more the estimated number of servers, that's 
2000 servers. That's not entirely unreasonable number for a large enough 

I know that the above was just rough back-of-the-envelope, and things are
far more complicated than that, but this discussion does not really belong
to nanog-l.

> > Compliance of icann-accredited gtld-registrars with rfc2182 might be a
> > good subject for research (again, thanks to rs for idea)....
> i've been wondering if ICANN's accredidation could be revoked for
> spammers, and has indeed been spamming.  and it may also be
> that they are out of compliance with RFC 2182.  but that would be like
> catching al capone for income tax evasion just because you couldn't pin
> murder on him.
Things like that, and accusations like that, I don't think really belong 
to nanog-l. 

(speaking for myself only)

More information about the NANOG mailing list