Discuss mailing list

[opennic AT lewman.us]

On Wed, 02 May 2012 00:22:39 -0500
Alex <coyo AT darkdna.net> wrote:

> Out of sheer curiosity, and a desire to protect my friend, Alex
> Hanselka's pet project, I wanted to ask you all what all can be done
> to mitigate the threat of attacks such as concerted DDOS attacks
> against specific name servers, such as the IP address of the single
> authoritative root name server of OpenNIC.

Step 1. Do not have a single IP address with a single authoritative
root name server of OpenNIC.

> What attack countermeasures are possible, to mitigate attack, other
> than the obvious anti-cracking things like making sure you have a
> strong password, etc?

Basically, since opennic is recreating the same environment as the
current solitary root name servers, do what they do.

Work with the ISP to do BGP routing changes to nullroute DDoS attacks
when they occur. Implement anycast for root name servers. 

> 7) Is there such a thing as name server software that allows for
> DNSSEC and DANE that makes it easy to rotate certificates?

Not yet. In fact, DNSSEC/DANE will increase the DoS attack surface. A
single client can flood requests requiring crypto ops to be performed by
the authoritative server, thereby overwhelming the CPU or dedicated
crypto hardware.

-- 
Andrew
pgp 0x6B4D6475