Re: Mitigating DNS amplification attacks

[Thomas St-Pierre <tstpierre () iweb com>]

Hi!

On 13-04-30 7:57 PM, "Dobbins, Roland" <rdobbins () arbor net> wrote:

> On May 1, 2013, at 6:43 AM, Thomas St-Pierre wrote:
>
> >  We've been sending emails to our clients but as the servers are not
> > managed by us, there's not much we can do at that level.
>
> Sure, there is - shut them down if they don't comply.  Most ISPs have AUP
> verbiage which would apply to a situation of this type.

Unfortunately I somehow doubt management is going to look favourably on a
request to shut down so many clients. :( The large majority of the servers
being used in the attacks are not open resolvers. Just DNS servers that
are authoritative for a few domains, and the default config of the dns
application does referrals to root for anything else.

Yes there are ways of protecting against this on the server itself, but I
don't see it happening here given the complexity of many of the solutions.
I hate to say it, but if it's not "next -> next -> next -> finish", or
integrated as an option in one of the common web hosting panels (cPanel,
Plesk, etc) people won't do it. We still struggle just getting people to
close actual open resolvers, and that is easy to configure.


> > Has anyone ever tried mitigating/rate-limiting/etc these attacks in the
> > network before? (vs at the server/application level)
>
> QoS doesn't work, as the programmatically-generated attack traffic
> 'crowds out' legitimate requests.
>
> > We have an Arbor peakflow device, but it's not really geared for this
> > scenario I find.
>
> Peakflow SP is a NetFlow-based anomaly-detection system which performs
> attack detection/classification/traceback.  Please feel free to ping me
> offlist about additional system elements which perform attack mitigation.


Pinged off-list!

Thanks!
Thomas