Subject: Re: Dyn DDoS this AM? Date: Sat, Oct 22, 2016 at 01:37:09AM +0200 Quoting Niels Bakker (niels@bakker.net):
* mansaxel@besserwisser.org (Måns Nilsson) [Sat 22 Oct 2016, 01:27 CEST]:
Also, do not fall in the "short TTL for service agility" trap.
Several CDNs, Akamai among them, do use short TTLs for this exact reason. Server load is constantly monitored and taken into account when crafting DNS replies.
But the problem is that this trashes caching, and DNS does not work without caches. At least not if you want it to survive when the going gets tough. If we're going to solve this we need to innovate beyond the pathetic CNAME chains that todays managed DNS services make us use, and get truly distributed load-balancing decision-making (which only will work if you give it sensible data; a single CNAME is not sensible data) all the way out in the client application. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Well, I'm INVISIBLE AGAIN ... I might as well pay a visit to the LADIES ROOM ...
Given the scale of these attacks, whether having two providers does any good may be a crap shoot. That is, what if the target happens to share the same providers you do? Given the whole asymmetry of resources that make this a problem in the first place, the attackers probably have the resources to take out multiple providers. Having multiple providers may reduce your chance of being collateral damage (and I'd also still worry more about the more mundane risks of a single provider, maintenance or upgrade gone bad, business risks, etc., than these sensational ones), but multiple providers likely won't save you if you are the actual target of the attack. On Fri, Oct 21, 2016 at 4:45 PM, Måns Nilsson <mansaxel@besserwisser.org> wrote:
Subject: Re: Dyn DDoS this AM? Date: Sat, Oct 22, 2016 at 01:37:09AM +0200 Quoting Niels Bakker (niels@bakker.net):
* mansaxel@besserwisser.org (Måns Nilsson) [Sat 22 Oct 2016, 01:27 CEST]:
Also, do not fall in the "short TTL for service agility" trap.
Several CDNs, Akamai among them, do use short TTLs for this exact reason. Server load is constantly monitored and taken into account when crafting DNS replies.
But the problem is that this trashes caching, and DNS does not work without caches. At least not if you want it to survive when the going gets tough.
If we're going to solve this we need to innovate beyond the pathetic CNAME chains that todays managed DNS services make us use, and get truly distributed load-balancing decision-making (which only will work if you give it sensible data; a single CNAME is not sensible data) all the way out in the client application.
-- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Well, I'm INVISIBLE AGAIN ... I might as well pay a visit to the LADIES ROOM ...
On Fri, Oct 21, 2016 at 05:11:34PM -0700, Crist Clark wrote:
Given the scale of these attacks, whether having two providers does any good may be a crap shoot.
That is, what if the target happens to share the same providers you do? Given the whole asymmetry of resources that make this a problem in the first place, the attackers probably have the resources to take out multiple providers.
Having multiple providers may reduce your chance of being collateral damage (and I'd also still worry more about the more mundane risks of a single provider, maintenance or upgrade gone bad, business risks, etc., than these sensational ones), but multiple providers likely won't save you if you are the actual target of the attack.
Good, perfect, enemy, etc. How many sites were down today? How many were the intended target? -- Brett
participants (3)
-
Brett Frankenberger -
Crist Clark -
Måns Nilsson