While the overage charges are quite reasonable at dnsmadeeasy, the same is not true at ultradns/neustar. For the latter, overage rates could be termed punitive. So, the customer is stuck between buying a much larger subscription than normally required, or stand naked in the face of sudden surges.

For the particularly evil minded, it might even seem possible that a commissioned sales rep on his own, or an organised effort, might be behind such scenarios. Just imagine being able to bump current earnings as well as simultaneously driving the customer towards a bigger monthly commit through the simple exercise of a few cpu cycles.

As for the idea that a 1000 identical requests could come from a burst behind a firewall, that is just ludicrous. Client machines are pointed at dns caches. Often the one on the firewall. Well, that dns cache has it cached and does not need to get the record 999 extra times.

In the end, throttling is good business. It is one element in evading dns ddos. This means that *other* customers on the dns servers are affected less. This in turn means that they *stay* customers after the ddos has subsided.

Throttling cannot always be implemented without risk, but it has attractions to both the provider and customer. Never forget that the customer is not the only customer resident on the system. Collateral damage can be very expensive.

edgedirector.com charges strictly on a pay for what you use basis at a single rate. And, query credits never expire, they just carry forward forever. You bought it, it’s yours. Not like prepaid cell phones and vanishing minutes.

Hope you stick around, i pop by standalone-sysadmin from time to time good work, keep it up. There definitely are not enough admins sharing info!

Greg and Michael, this sort of attack is a valid concern, and should be considered tantamount to a DOS, since if you can’t pay the bill, your service is gone.

Every good IPS should have the ability to throttle service requests, especially ones that originate from the same IP. As CMDLN stated, there’s no valid reason for the same IP to make hundreds of DNS requests a day, let alone in a second. He’s right, TTL should be respected, and even in clients where it isn’t, I’ve never even seen a setting for force recaching in shorter than 300 seconds (5 minutes).

The most extreme case I can think of, a slashdotting, with fark, reddit, and digg all pointing to your site, still shouldn’t generate that sort of traffic. The effects are severe, but nothing like what CMDLN spoke of.

The onus should be on the DNS providers to filter this sort of ridiculous traffic storm. Logging only tells you where the traffic came from; it won’t get money back. It would probably be a good idea to select a DNS provider that will agree to filter suspicious traffic for you or not hold you liable for a DOS attack.

Good article, CMDLN, I enjoyed it.

Keep up the good work!