nanog mailing list archives

Re: DDoS using port 0 and 53 (DNS)

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Wed, 25 Jul 2012 16:41:27 +0000


On Jul 25, 2012, at 10:27 PM, Frank Bulk wrote:

Can netflow _properly_ "capture" whether a packet is a fragment or not?

No.

 If not, does IPFIX address this?


Yes.

But this is all a distraction.  We are now down in the weeds.

Your customers were victims of a DNS reflection/amplification attack.  The issue of fragmentation is moot.  The defense 
methodologies already discussed are how folks typically deal with these attacks.  There isn't an ovearching network 
access policy list you can apply at your edges or ask your peers/upstreams to apply which will mask them - the optimal 
approach is to deal with them on a case-by-case basis.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton

Current thread:

DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
- Re: DDoS using port 0 and 53 (DNS) Roland Dobbins (Jul 24)
  - RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 24)
  - Re: DDoS using port 0 and 53 (DNS) Jimmy Hess (Jul 24)
    - Re: DDoS using port 0 and 53 (DNS) sthaug (Jul 24)
    - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
    - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 24)
    - RE: DDoS using port 0 and 53 (DNS) Frank Bulk (Jul 25)
    - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)
- Re: DDoS using port 0 and 53 (DNS) Jimmy Hess (Jul 24)
  - Re: DDoS using port 0 and 53 (DNS) John Kristoff (Jul 25)
    - Re: DDoS using port 0 and 53 (DNS) Joel Maslak (Jul 25)
    - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)
    - Re: DDoS using port 0 and 53 (DNS) Mark Andrews (Jul 25)
- RE: DDoS using port 0 and 53 (DNS) Drew Weaver (Jul 25)
  - Re: DDoS using port 0 and 53 (DNS) Dobbins, Roland (Jul 25)