Mitigating DNS amplification attacks

[Thomas St-Pierre <tstpierre () iweb com>]

Hi!

I was wondering if anyone had any experience with dealing with open resolvers as a web hoster? We currently have some 
40,000 ip's that respond to DNS in our AS, the majority of which are not "open" but do reply with a referral to the 
root zones. We've been sending emails to our clients but as the servers are not managed by us, there's not much we can 
do at that level.

Recently we've seen a large increase in the number and volume of DNS amplification DDOS's that are being reflected off 
of our AS. Just today we've seen at least 6 different attacks with between 4 and 10gbps leaving our AS each time. It's 
not really causing us issues at the moment because we have the capacity, but I'd hate to be on the receiving side. (and 
indeed, have been on the receiving side in the past, so I know how much it can suck)

Has anyone ever tried mitigating/rate-limiting/etc these attacks in the network before? (vs at the server/application 
level)

We have an Arbor peakflow device, but it's not really geared for this scenario I find. It will detect the outgoing 
attack via the flows, but all we can really do is null-route the victims ip in our AS. Ideally we would need a way to 
rate-limit DNS packets based on source ip. Maybe a linux box that handles dropping packets from the same source-ip over 
1000/sec with some policy-based routing sending the DNS traffic to it? Does such a box exist already?

If anyone has any ideas or suggestions, then by all means! There must be a better way to do this, and I'd really like 
to avoid re-inventing the wheel if it's been invented already. :)

Thanks!
Thomas