On Dec 31, 2015, at 6:50 PM, Michael Richardson
<mcr+ietf(_at_)sandelman(_dot_)ca> wrote:
Jared Mauch <jared(_at_)puck(_dot_)nether(_dot_)net> wrote:
But for the small percentage of spoofed packets, the cost on the rest
is so high when we are often PPS limited on even the largest routers.
The 40-byte packet benchmark of
the late 90s isn’t seen today.
Tragedy of the commons... the cost here is balanced by the root name server
operators dealing with regular multi-Gb/s attacks.
(The last one, which seems to have been the largest to date, it is unclear to
me if it was with forged source address)
http://www.root-servers.org/news/events-of-20151130.txt
Yup, not news to me (at least). We have a lot of DNS providers, including
root servers behind our network. It’s often cheaper to throw more servers
and bandwidth at the problem.
- Jared