Quote:
|
Originally Posted by Paul M
Without information on the nature of the ddos attacks it's impossible to say if anything could be done. Some attacks are just impossible to stop and you have to ride them out.
|
There is no such thing as an unstoppable attack apart from those that rely on raw bandwidth and even those can be prevented by a distributed server architecture. It is impossible to simulate normal traffic to the extent where it is able to take a well specified server down.
The fact is ntl don't have the technology in place to repel these attacks, and are I suspect just throwing more server capacity at it. That was what was happening previously anyway.
There are plenty of manufacturers offering DDoS mitigation hardware. These attacks I seriously doubt are anything more than SYN or UDP floods. Attacking DNS through repeated querying can be blocked upstream as well. It's all a case of having the layer 7 inspection and filtering in place to allow the legitimate traffic through while blocking the bad stuff.
NTL might do well to have a chat with someone selling
http://www.toplayer.com/ equipment.
A look at
http://www.google.com/search?q=DDoS+mitigation shows a number of options too.
There's a difference between being unable to stop the attacks and regarding them as an 'acceptable risk' and choosing not to invest the required sums to stop them.
You do wonder why these servers are even reachable from the outside. The servers the customers query could be seperated from the servers which other DNS servers query.
Personally I'd be all in favour of regional DNS servers, at the moment there's a distributed (and unnecessary) caching architecture, but the DNS is centralised still, which makes no sense apart from the financial one.
Either way this is inexcusable, and I wouldn't blame the engineers for this, I'd blame the people holding the purse strings and the people demanding wading through red tape before getting at the purse.
Join CF
You are here: 
Baby, I was born this way.
