Re: Recent DNS issues - NTL speaks....
 

Without information on the nature of the ddos attacks it's impossible to say if anything could be done. Some attacks are just impossible to stop and you have to ride them out.

Re: Recent DNS issues - NTL speaks....
 

if some small isp with 100mbit of peering I could understand but ntl have many gigabits of peering so they probably cant be taken down with a bandwidth saturation attack so I can only assume they either let the traffic reach the dns servers unfiltered. Or it was a simple request overload on the servers (resource consumption).

A isp of ntl's size should be able to mitigate a ddos attack, their are a few ways to do it but the first step would be buying some high end juniper hardware configuring it to filter attacks before they even reach the dns servers and then add more dns servers so their is some better redundancy.

Of course if they not willing to spend money, what they can do is much more limited.

Re: Recent DNS issues - NTL speaks....
 

This is ridiculous, I can barely browse... Are there any other working DNS addresses we can use in the interim?

Re: Recent DNS issues - NTL speaks....
 

There is no such thing as an unstoppable attack apart from those that rely on raw bandwidth and even those can be prevented by a distributed server architecture. It is impossible to simulate normal traffic to the extent where it is able to take a well specified server down.

The fact is ntl don't have the technology in place to repel these attacks, and are I suspect just throwing more server capacity at it. That was what was happening previously anyway.

There are plenty of manufacturers offering DDoS mitigation hardware. These attacks I seriously doubt are anything more than SYN or UDP floods. Attacking DNS through repeated querying can be blocked upstream as well. It's all a case of having the layer 7 inspection and filtering in place to allow the legitimate traffic through while blocking the bad stuff.

NTL might do well to have a chat with someone selling http://www.toplayer.com/ equipment.

A look at http://www.google.com/search?q=DDoS+mitigation shows a number of options too.

There's a difference between being unable to stop the attacks and regarding them as an 'acceptable risk' and choosing not to invest the required sums to stop them.

You do wonder why these servers are even reachable from the outside. The servers the customers query could be seperated from the servers which other DNS servers query.

Personally I'd be all in favour of regional DNS servers, at the moment there's a distributed (and unnecessary) caching architecture, but the DNS is centralised still, which makes no sense apart from the financial one.

Either way this is inexcusable, and I wouldn't blame the engineers for this, I'd blame the people holding the purse strings and the people demanding wading through red tape before getting at the purse.