[Dshield] monkeys.com UPL being DDOSed to death

Kenneth Porter shiva at sewingwitch.com
Wed Sep 24 00:06:33 GMT 2003


--On Tuesday, September 23, 2003 2:51 PM -0700 John Hardin
<johnh at aproposretail.com> wrote:

> What if the community sets up a distributed DNS net to serve the DNSRBL
> data? The root server could distribute updates only to secondaries that
> have registered. If there were several hundred secondaries then the zone
> would be harder to kill.

But if you're DDoS'd, how do you get the zone transfers out to your
secondaries? I guess you're ok if the DDoS doesn't outlast the zone expiration
period.

Registering to be a secondary should be as easy as filling out a web form and
shouldn't have any special strings, so that the number of secondaries can be
high. You probably want a small delay (like an hour) before the secondary is
authorized to keep the process from being used as a DDoS.

Secondaries should be publicly listed out-of-band so that they can be used
without a delegation, in case the nameservers of a parent zone get DDoS'ed.
For instance, a BIND zone config statement in a text file on a web server,
easy to paste into one's named.conf.





More information about the list mailing list