add DDoS prevention sidebar

Author: drbruced12

infra.rst

@@ -620,6 +620,7 @@ quite good incremental deployment properties, another advantage over BGPsec.
 8.2 DNS
 ----------
 
+
 The Domain Name System (DNS) is, like BGP, another critical component of the
 Internet's infrastructure that has come under repeated attack in the
 decades since it was first introduced. Also like BGP, it was developed
@@ -788,4 +789,48 @@ DNS over HTTPS (DoH)
    
 .. sidebar:: DOS-preventing infrastructure
 
-       *Cloudflare is the answer*
+
+   *Capacity is another aspect of network infrastructure that is
+   vulnerable to malicious attack.  Such attacks—or as they are
+   commonly known, *Denial of Service (DoS)* attacks—threaten
+   availability (as opposed to confidentiality or integrity). They
+   typically involve an adversary trying to overwhelm "good" resources
+   (link bandwidth, packet forwarding rates, server response
+   throughput) with traffic generated by "bad" resources (botnets
+   constructed from a distributed collection of compromised
+   devices). Many of the defenses described in this book help protect
+   devices from being compromised in the first place, but because they
+   are not perfect (a human is usually the weakest link), we also need
+   ways to mitigate the impact of a *Distributed DoS (DDoS)* attacks.
+
+   The DDoS challenge is addressed by two general countermeasures;
+   there is no silver bullet. The first is to absorb potential attacks
+   with even greater resources than the adversary is able to
+   muster. For content, this is done using the same mechanism as is
+   used to absorb flash crowds of legitimate traffic: a *Content
+   Distribution Network (CDN)*. The idea is to replicate content
+   (whether it's a movie or a critical piece of infrastructure
+   metadata) across many, widely-distributed servers. As long as the
+   aggregate capacity of these servers is greater than the aggregate
+   capacity of the botnet, content remains available. This notion of
+   *aggregate* capacity generalizes beyond servers responding to GET
+   requests. A network is itself a distributed collection of
+   forwarding and transmission resources, engineered to distribute
+   those resources in a way that avoids vulnerable bottlenecks.
+
+   The second countermeasure is to filter malicious traffic as early
+   (close to the source) as possible.  If a DoS attack comes from a
+   single source, then it is easy to "block" traffic from from that
+   source at an ingress to a network you control. This is why DoS
+   attacks are typically distributed.  Dropping (or rate limiting)
+   attack packets at the boundary router (or firewall) for an
+   enterprise is better than allowing those packets to flood the local
+   network and reach a victim server, but the more widely distributed
+   the periphery of your network, the earlier you can filter malicious
+   packets. And drawing on the first countermeasure, the more widely
+   distributed your network resources are, the greater your aggregate
+   filtering capacity. Global overlay networks, as provided by
+   companies like Cloudflare and Fastly, offer a combination of
+   content distribution and distributed packet filtering.  These are
+   commercial products, with many proprietary details, but the general
+   principles outlined here explains the underlying strategy.*