Helping to mitigate the problem with an Anycast DNS infrastructure
Several players in the industry are trying to get the (tens of millions of) open recursive DNS resolvers cleanedup by focusing on the networks that allow them and getting them to shut them down. However, this is an extremely challenging global problem that is caused by the inadvertent behaviour of both individuals and corporations. The rapid growth in IoT devices is likely to compound the matter further. Rather than trying to solve the global issue, there is a more immediate and active response to the problem for an IT department.
For application-layer DDoS attacks IT departments focus on their server infrastructure by, for example, limiting responses to packets that are too large, dropping responses altogether, rate limiting traffic, or blocking traffic from certain servers entirely. These types of tactics are an important part of the solution, but one that does not solve the problem against the DNS. For the DNS a tactic which has been successfully deployed by domain name registries and many large organizations is the use of Anycast technology.
Anycast DNS servers enable organizations to deploy a set of DNS servers across the globe that can all resolve the address. Since one of the features of Anycast DNS is that queries are responded to by the geographically closest server, attacks against one node will only impact customers in that region. Maintaining two or more Anycast clouds on different infrastructure and network connectivity provides for even more in-region redundancy to help mitigate the impact of an attack.
In addition to solving the global risk, if a business has a large domestic component then locating a few high bandwidth local nodes can help to protect your local traffic from an attack that originates off-shore. Why? Because the global attack will be soaked-up by the geographically closest off-shore server leaving your domestic ones unaffected.
Even if a global DNS server is brought down, by the time the attack moves to a new node the old one can be back online. In effect it becomes a world-wide game of whacka- mole on the DNS servers that aren’t delivering content to your most important market or region anyway.