Moin!
On 29 Jun 2016, at 8:55, Henrik Lund Kramshøj wrote:
and when being attacked the harm is already done, service will be
interrupted if we do nothing …
There is a difference on doing something as a response to attacks or
having something hanging there that might treat you bad down the road.
so the talk about these boxes throwing away some traffic, bad
middleboxes etc. These are not middleboxes, but part of the overall
solution at the end-network - and as such they increase operational
cost - but they bring more resilience and stability to the service.
They even work using the existing hardware devices in many
circumstances, making the cost less than buying “DDoS protection
service box model 2000"
YMMV, and you should always consider your own environment, adding
DNSSEC comments are great etc. Some things SHOULD be discarded, others
rate-limited
I don't have problems with discarding, but again it should be done where
the impact is understood and a router doesn't have that. Doing opaque
dropping to the outbound of a resolver even while part of the solution
can have weird effects and should be avoided.
and shameless link
https://ripe72.ripe.net/wp-content/uploads/presentations/32-simulated-ddos-ripe.pdf
which has similar advise
Again that was during the attack and not permanent (Anand can correct me
if I got it wrong). Also this was an authoritative server which has a
different defence pattern that a resolver that was described in the
article.
So long
-Ralf
