I really like what Mark said.
This is the real case happened at my end.
在 2015/6/12 星期五 0:28, Mark E. Jeftovic 写道:
Mike Hoskins (michoski) wrote:
I don't work for amazon, but have used route53 as a cheaper alternative to
Akamai.
Note neither of these are marketed as anti-DDoS as directly as services
like Akamai, but the way in which the services are deployed provides
better "protection" than your average hoster or individual.
You have to look at DDoS from two perspectives:
1) The direct target of the DDoS
2) Everybody else impacted as collateral damage of #1
If you're #1 there is no such thing as "cheap DDoS protection", unless
you're a non-profit and hookup with certain organizations that
specialize in helping non-profits. You could go to Cloudflare's free
options but they are (AFAIK) only free up to a certain point and may not
be desirable solutions (i.e. a web proxy / middle jump page / etc), not
to mention that they primarily provide (free) solutions for websites,
not DNS providers, etc.
Most of the damage experienced from DDOS attacks are #2, collateral
damage and what we've always said in these situations is that the magic
bullet for surviving these types of DDOS attacks is to have multiple DNS
solutions/providers/vendors etc.
That works for end-users. If you have any DNS constellation that isn't
an exact match of the DDOS target's then you're going to come through
relatively unscathed.
If *you* are a DNS provider, you still have the issue of protecting your
systems whenever you get hit. That costs money and there are no "cheap"
ways to do this.
A vendor like Amazon Route 53 (or any other DNS vendor) is not a magic
bullet for DDoS attacks if *you* are the target.
They'll just get rid of you, one way or another (us included. Even if we
want to keep you as a customer, you're going to have to pay the premium
for DDoS mitigation and we'll move you over to a Staminus or a Cloudflare)
The key point which I'm trying to make, which most outfits who seem to
bring DDoS attacks to our door (and those of other DNS vendors) find
impossible to grasp is this:
The DDoS mitigation DNS providers pay a lot of money for is there to
keep their *other* customers online when *you* get DDOS-ed, and *not* to
provide DDOS mitigation for *you* for *cheap*.
If you're a small provider with not a lot of budget to spend on DDoS
mitigation the best strategy is not to get DDoS-ed. That isn't a Yogi
Bera-ism, you can actually do this much of the time by coming up with
some pre-screening rules you apply to domains *before* you allow them to
delegate to your servers.
Those rules would be unique to your situation and it doesn't always work
of course. You then need some kind of plan for those times when they do
sneak through, but if you can head off even one DDoS a year before it
starts you could be postponing your eventual ulcer or nervous breakdown
out a few good years before you finally lose your shit and throw in the
towel.
- mark
-----Original Message-----
From: dns-operations [mailto:dns-operations-boun...@dns-oarc.net] On
Behalf Of bert hubert
Sent: Thursday, June 11, 2015 11:00
To: Kevin C.
Cc: dns-operati...@dns-oarc.net
Subject: Re: [dns-operations] about anti-ddos DNS hostings
On Thu, Jun 11, 2015 at 12:06:54PM +0800, Kevin C. wrote:
Do you know which provider has a good anti-ddos systems and with a low
price for bulk zones? I will suggest him switch to there.
No, this is something you can't offer right now. Geoff Huston's thinking
on this is instrumental:
Yes and no. Those with existing large estates/geo footprint supported by
other means than just selling DNS services are in a unique position to try.
http://labs.apnic.net/?p=624
"Defending your DNS is now a game that you only win if you can afford to
win.
Generally agreed, and not just DNS...DDoS in general. This view is
certainly older than May 2015, but becomes more true each day.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
