Lessons from the Stophaus/CloudFlare/Spamhaus DDoS for ISPs
Update: our full report on this incident is now available (in German)No, the Internet is not breaking down, we did not have a doomsday scenario over the last week. We did have an interesting situation, there were some disruption in some parts of the Internet, and there were a good number of overtime hours being put in to mitigate these disruptions.Here are some links:
- Implement BCP38. The attackers need to send out forged packets; restricting their ability to do so from a hacked box inside *your* network helps.
- Recursive nameservers should not be open to the word. See RFC5358. There are a few projects starting up which scan the Internet for such open recursors in order to get them all fixed. One is http://openresolverproject.org. Warning: the data-quality from that service is not optimal yet.If you want to scan your own netblock for open recursors, have a look at Aaron's software.
- Authoritative nameservers can also be abused as traffic amplifiers. There are patches out which implement rate-limiting for the common implementations. See e.g. http://www.redbarn.org/dns/ratelimits