nanog mailing list archives

Re: Mitigating DNS amplification attacks

From: Jared Mauch <jared () puck nether net>
Date: Tue, 30 Apr 2013 20:35:18 -0400

Please look at something like rate limiting.

Please look at preventing these spoofed packets from entering your network and report the issue.

Please provide advice and insights as well as directing customers to the openresolverproject.org website. We want to 
close these down, if you need an accurate list of IPs in your ASN, please email me and I can give you very accurate 
data.

Thanks!

On Apr 30, 2013, at 7:43 PM, Thomas St-Pierre <tstpierre () iweb com> wrote:

Hi!

I was wondering if anyone had any experience with dealing with open resolvers as a web hoster? We currently have some
40,000 ip's that respond to DNS in our AS, the majority of which are not "open" but do reply with a referral to the
root zones. We've been sending emails to our clients but as the servers are not managed by us, there's not much we
can do at that level.

Recently we've seen a large increase in the number and volume of DNS amplification DDOS's that are being reflected
off of our AS. Just today we've seen at least 6 different attacks with between 4 and 10gbps leaving our AS each time.
It's not really causing us issues at the moment because we have the capacity, but I'd hate to be on the receiving
side. (and indeed, have been on the receiving side in the past, so I know how much it can suck)

Has anyone ever tried mitigating/rate-limiting/etc these attacks in the network before? (vs at the server/application
level)

We have an Arbor peakflow device, but it's not really geared for this scenario I find. It will detect the outgoing
attack via the flows, but all we can really do is null-route the victims ip in our AS. Ideally we would need a way to
rate-limit DNS packets based on source ip. Maybe a linux box that handles dropping packets from the same source-ip
over 1000/sec with some policy-based routing sending the DNS traffic to it? Does such a box exist already?

If anyone has any ideas or suggestions, then by all means! There must be a better way to do this, and I'd really like
to avoid re-inventing the wheel if it's been invented already. :)

Thanks!
Thomas

Current thread:

Re: Mitigating DNS amplification attacks Dobbins, Roland (Apr 30)
- Re: Mitigating DNS amplification attacks Thomas St-Pierre (Apr 30)
  - Re: Mitigating DNS amplification attacks Damian Menscher (Apr 30)
    - Re: Mitigating DNS amplification attacks Thomas St-Pierre (Apr 30)
    - Re: Mitigating DNS amplification attacks Dobbins, Roland (Apr 30)
  - Re: Mitigating DNS amplification attacks Doug Barton (May 01)
- <Possible follow-ups>
- Re: Mitigating DNS amplification attacks Jared Mauch (Apr 30)
  - Re: Mitigating DNS amplification attacks Jeff Wheeler (May 01)
    - Re: Mitigating DNS amplification attacks Dobbins, Roland (May 01)
    - Re: Mitigating DNS amplification attacks Alain Hebert (May 01)