SAKURA Internet's story about applying DDoS measures to Authoritative DNS Servers.
Abstract:
Recently, DDoS attacks addressed to the DNS servers are frequently observed globally.
Just the other day (10/21 U.S. time), Dyn's DNS service was attacked, and it affected a lot of well-known sites.
Large scale of incident happened even at our company's hosting services during 2016/8/29 - 9/2, due to intermittent DDoS attack against our authoritative DNS servers of customer zones.
Unfortunately our authoritative DNS servers were not configured to be strong enough against attacks.
In response to this, we have been implementing countermeasures to make "strong DNS" such as:
installing Anycast node deploy new clusters L7 firewall introduction IP address renumbering Upgrading existing DDoS mitigation to 100G
In this session, we will share these efforts of ours and would like to discuss the ideas of effective DDoS countermeasure for authoritative DNS servers with participants.