[Sysadmins] Eircom DNS woes...

Brian Boyle brian.boyle at heanet.ie
Wed Jul 15 09:24:16 IST 2009

Colm MacCárthaigh wrote:
> Since Eircom and RTE both peer at INEX, using strict RPF might offer
> some protection against that one. Many of the IE nameservers are
> reachable that way too, and one of the root servers. So that helps.

Is that practically possible though? Can you configure an RPF filter
based on the content of a pretty deeply buried piece of info, such as
a DNS response? Also, this would turn into a site by site filter,
which wouldn't be much fun.

> The next thing that a network admin could do is to analyse the hop
> counts to each of the root servers, each of the IE nameservers and so
> on, and to enable ttl-based ACLs (with a range of +/- 2 or so, to
> handle path changes) as a temporary measure. That might cut out enough
> traffic to get way below the volume needed to successfully spoof an
> answer to a cache.  But it does take some analysis and automation.

Most of the root servers are 9 or more hops from me, and many are
"further" away. Also, given the nature of routing to/from them (with
the added complication of anycast implementation), I wouldn't consider
the ttls to be determinate over any period of time. Between those two,
I think there is plenty of scope for a sufficiently large DDoS network
to keep pounding away.

Brian Boyle, Network Services Manager
HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301  tel: +353-1-660 9040  fax: +353-1-660 3666
web: http://www.heanet.ie/

More information about the Sysadmins mailing list