On Jun 15, 2008, at 8:02 PM, Joe Greco wrote:
I think a real solution would be more sophisticated than this, but
it's a starting point.
In addition to the BCPs already mentioned by Sean and Nathan, a good
detection/classification/traceback system plus S/RTBH can be helpful,
and there are commercial DDoS mitigation services/scrubbers available
from various SPs/vendors which have DNS-specific functionality, as
well. Blocking TCP/53 is definitely not an optimal solution, as many
have already pointed out.
-----------------------------------------------------------------------
Roland Dobbins <[EMAIL PROTECTED]> // +66.83.266.6344 mobile
History is a great teacher, but it also lies with impunity.
-- John Robb
