Somehow, I missed that TTL=0 when I read the article. Anyway, I picked a couple of likely DDoS targets (some of which have already been hit), as well as a couple of other sites most of us know, and wondered what kinds of TTLs I would find. So I asked the primary nameserver (as reported by whois to whois.networksolutions.com) on each domain:
AskJeeves and Yahoo! are likely the only big-name sites listed that could get away with reducing the TTL. And, at least in the case of Yahoo!, I think I could make a case that the user experience would suck 99.9% of the time when they're not under attack, to potentially save some trouble during the small time that they are.
- www.ask.com - 5 minutes
- www.yahoo.com - 15 minutes
- www.advogato.org - 1 hour
- www.lycos.com - 1 hour
- www.slashdot.org - 1 hour
- www.technocrat.net - 1 hour
- www.cnn.com - almost 3 hours
- www.etrade.com - almost 4 hours
- www.kuro5hin.org - 10 hours
- www.ebay.com - 24 hours
- www.google.com - 24 hours
Without any statistics on exactly how often these nameservers are hit, and without going back to see which seem to be on different network segments than the hosts they're providing DNS for, I'm going to stick with my earlier comment: the proposed solution is not practical for sites with heavy traffic, especially if they run their own nameservice. And, as others have pointed out, if the DDos client is programmed to check DNS, it won't matter that much anyway.
If the Internet in general wants to prevent DDoS attacks, then the Internet in general is responsible for beefing up security to prevent them from being possible to begin with.
P.S. - an afterthought: is the so-called Slashdot Effect different and/or distinguishable from a DDoS attack?
Our scientific power has outrun our spiritual power. We have guided missiles and misguided men. —MLK
$email =~ s/0/o/; # The K5 cabal is out to get you.
[ Parent ]