[funsec] UltraDNS: Internet Security Shield?

Tim Wilde twilde at dyndns.com
Wed Oct 19 11:56:06 CDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 19 Oct 2005, Jordan Wiens wrote:

> That's why I quoted their summary -- they appear to make that claim:
>
> "In the event of a DDoS attack on the public Internet or other network 
> failure, DNS Shield partner customers' queries are isolated from the effects 
> and continue to be resolved locally ensuring domains powered by UltraDNS are 
> 100% accessible."
>
> My point is that those domains are not necessarily 100% accessible.  They may 
> be 100% resolvable, but it's not the same thing.

Full disclosure: I'm founder/part owner of another DNS provider; some 
would argue we compete with UltraDNS, some would argue we don't.

I read the articles about this differently than everyone else seems to be 
interpreting them.  Most people are looking at it as "fine, they'll answer 
all the DNS queries, but who cares if the site isn't up", and, if that's 
the case, I agree, it is kind of a moot point.  However, these paragraphs 
jumped out at me when I read the release:

"The DNS Shield protects against these and other attacks by integrating 
UltraDNS servers directly into the infrastructure of its Internet service 
providers.

This creates totally protected environments where only authenticated user 
queries are answered and that eliminates the external data blitzes that 
can shut down networks and Web sites, the company said."

Reading this as a DNS guy, I understood it to mean that the DNS servers 
will actually somehow differentiate the DNS queries coming from the 
attacking hosts, and NOT answer them, making it impossible for the 
attackers to resolve the site being attacked, and allowing the site to 
really remain fully up and running, for EVERYONE.  (Except the attacking 
machines, of course.)

It could mean something entirely different than either one of those views, 
of course.  We just don't know, because all we know is the marketing 
information.  So, as Paul said, let's give Rodney some courtesy and the 
benefit of the doubt.  Buy it and see! :)

Tim Wilde

- -- 
Tim Wilde
twilde at dyndns.com
Systems Administrator
Dynamic Network Services, Inc.
http://www.dyndns.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFDVnqnT9UHzqLr6x4RAu8RAKCFMa+tw91CO8zIhsyP58G0Vda+9gCeP7St
Oj6wJOu8lfv1w4PJjqhTcqw=
=3kPq
-----END PGP SIGNATURE-----

More information about the funsec mailing list