ddos, dns and geolocation

fyi: managed dns services - edgedirector.com

DDOS, or distributed denial of service attacks can be mitigated using dns. This is because under most attack scenarios, the attacking machines find the host using dns.

Using dns to null route is similar in concept to null route injection at the router level. The goal is to make the host disappear from the internet for the duration of the attack. This is done to spare the server from the work of handling the attacking network packets. In dns, this is done by not returning an answer, or returning an answer that is local to each attacking machine,

Of course, by hiding the server from the network, it is effectively offline. While the bandwidth cost is avoided, the ddos will still have the desired effect in that the site is unavailable.

However, if it can be determined that the attack is specific to a geographical region, then geolocation aware dns can be applied effectively. This type of dns service can selectively answer queries based upon the geographic origin of individual queries. The edgedirector dns service can be configured to either not answer a query from the identified region, or to answer with a harmless address such as localhost. While this sounds simple, under no circumstances should a dns administrator try to do this without specific technical guidance from edgedirector support.

Where a ddos problem is not region specific, geolocation aware dns can still be of benefit. One of the sad facts of life is that the inbound network must be capable of supporting the network traffic involved in a ddos attack. As each physical location has finite network resources, there is a limit to the amount of inbound traffic that the network can sustain. With directional dns, the victim site can be spread over many networks. This has the effect of increasing the amount of bandwidth that is available to absorb a ddos event. Spreading the traffic does not decrease costs, instead it is employed to increase resilience in the face of the ddos attack.

A more advanced technique for longer term problems is to redirect traffic to a secondary site which acts as a gateway to the real site. The secondary site is configured to ensure that any forwarding link can only be followed by humans, and that the forwarding mechanism is resistant to automated responses. You can be sure that a determined attacker will try to create a workaround. Thus, the forwarding site must be specifically engineered to all known automated navigation techniques.

In closing, the reader is reminded that geographic dns can be effective in ddos mitigation, but it is only one tool of many to be applied to the task.

 

EDGE
DIRECTOR.com
managed dns service outsource host provider hosting outsourcing, distributed global geotarget geoip geolocation gslb geodns, authoritative authoritative dns name server, domain names web site website addresses names urls, root glue master primary secondary dns domain name service server system, register domain name registration, user friendly customer service management tool control panel, mail email domain web forwarding redirect, named bind easydns powerdns neustar ultradns limelight akamai, custom maintenance page redirect, whois, dns wildcard soa authority address cname mx ptr txt spf dkim record propagation, in-addr.arpa, rfc, virtual server cluster failover failback high availability ha load balancing balance round robin roundrobin reverse proxy webcache, e-commerce ecommerce, cloud management cloud services cloud dns
 home page
account signup
pricing
bonus credits
user manual
faqs
reading room
news
contacts
terms

current uptime
email bookmark

client login


distributed server monitoring
exactstate.com

microsoft platform specialists
platformlabs.com

disaster recovery sites
edgeplex.com

web site spell check
accuratespelling.com

copyright © 2007 - 2014
all rights reserved