Re: Re: DNS load research
2005-03-24 09:52:52
Michael Hammer wrote:
On Wed, 23 Mar 2005 20:51:35 -0500, Radu Hociung <radu(_at_)ohmi(_dot_)org>
wrote:
I was thinking some more about the scenario, and I think that the
following conclusion did not came across very well:
The severity of the DDOS is a quadratic function of the query limit
implemented by the spf checkers.
Each of the two multiplication factors are linear functions of the query
limit. Since they get multiplied, the overal result is proportional to
the square of the query limit.
Indeed, if the query limit that ohmi.org would do were 10 queries, the
numbers would become (L=limit):
Traffic magnification: (2 * L * 100) / 60 = 33.33
Time magnification: (200ms * L) / 50ms = 40
Total amplification: 33.33 * 40 = 1,333
Aggregate DNS traffic: 1,333*1Mbit/s = 1.33Gbps
Radu,
I guess I have a couple quibbles with your logic (I'm assuming your
calculations are correct). How many DNS servers are sitting on a Gig
Pipe? If the trunk coming into the datacenter is gig or better, how
many of the DNS servers have 10/100 ethernet connections rather than
Gig?
I'm not a 100% sure on the calculations either, and I was hoping that
someone would go over them and do a sanity check. Hopefully not
Scott-style, but more of an engineering check, where my assumptions are
checked as well as my calculations and results. Perhaps David would do
this ? :) Hint, hint, thank you in advance :)
It would also be nice to invite a DNS engineer to the discussion, but
unfortunately I don't know any.
I agree with you that very few DNS servers are sitting on Gigabit links.
It's great to do calculations but in the real world you would saturate
the connection on most (many?) DNS servers before you would come close
to your calculated number for bandwidth.
Saturating the link to the DNS server _is_ the problem. It means that
many/most queries will be dropped (UDP is a send and forget protocol,
without any checking if the packet was delivered, like TCP). Since most
everything on the internet works using names, if those names cannot be
resolved to IP addresses, nothing works.
There are a lot of services using the DNS infrastructure, and I would
hazard a guess that even if only half of DNS queries fail, a lot of
these services would be disrupted. That is pretty much as bad is it can
be. The next worse thing to the internet becoming so useless would be if
it didn't exist at all.
Without DNS, you can't browse to CNN, mail.yahoo.com, your online stock
broker. You can't resolve VoIP calls, you can't sync your network's time
to the atomic NTP servers, and so on. With only a fraction of DNS
services being available, the disruption would be just as great.
Surely, once you've already surfed to CNN, you're good till the info in
your local DNS cache expires, so maybe you won't see much of a slowdown.
It may take a few hours for that info to expire, and then you're in the
same boat as everyone else.
Saturating the DNS servers is the worst thing that can happen to the
Internet, I think. When the pipes are saturated with non-DNS traffic, it
would just take longer to transfer files, but when DNS is saturated, you
can't even start the connections, because you don't know where to connect.
Radu.
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Use of New Mask Mechanism, (continued)
- Re: Use of New Mask Mechanism, David MacQuigg
- Re: Use of New Mask Mechanism, Radu Hociung
- Re: Re: DNS load research, Michael Hammer
- Re: Re: DNS load research,
Radu Hociung <=
- RE: Re: DNS load research, Scott Kitterman
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, Leonard Mills
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, Andy Bakun
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, Andy Bakun
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, David MacQuigg
- Re: Re: DNS load research, Andy Bakun
|
|
|