Speaker
Mr
Marek Majkowski
(CloudFlare)
Description
DDoS attacks against DNS providers have been on the increase over the
last few years. They have been growing in size and complexity, taking
many prominent DNS providers offline.
Today these attacks are a major concern to anyone running DNS servers.
Operators are in a continual arms race against attackers.
CloudFlare, one of the largest authoritative non-TLD providers, has
had to learn the hard way how to deal with these attacks. We have
learned how to keep our network operational, even with packet floods
in excess of 200Gbps.
In this talk, we'll explain what DNS packet floods look like and we'll
share the details of our mitigation pipeline. In order to deflect the
attacks we have developed some unique techniques that are not fully
RFC compliant, but in an arms race operational realities win over
protocol purity.
Keywords: kernel bypass, sflow, flowspec, bpf
Primary authors
Mr
Marek Majkowski
(CloudFlare)
Mr
Ólafur Guðmundsson
(CloudFlare Inc.)
