Dealing with large DNS packet floods
DDoS attacks against DNS providers have been on the increase over the last few years. They have been growing in size and complexity, taking many prominent DNS providers offline.
Today these attacks are a major concern to anyone running DNS servers. Operators are in a continual arms race against attackers.
CloudFlare, one of the largest authoritative non-TLD providers, has had to learn the hard way how to deal with these attacks. We have learned how to keep our network operational, even with packet floods in excess of 200Gbps.
In this talk, we'll explain what DNS packet floods look like and we'll share the details of our mitigation pipeline. In order to deflect the attacks we have developed some unique techniques that are not fully RFC compliant, but in an arms race operational realities win over protocol purity.
Keywords: kernel bypass, sflow, flowspec, bpf