Re: Mitigating DNS amplification attacks

[Alain Hebert <ahebert () pubnix net>]

    Well,

    I was going more for a public list of ISP that refuse to BCP38 their
networks.

    But that's just me =D

On point: (If your corporation is massive enough)

    Basically:

    . Mirror DST Port 53;
    . Write some software to stats who's spamming the same DST IP with
the same query;
    . Dynamic ACL them;

    then

    . Give a talk to your customers =D
  

-----
Alain Hebert                                ahebert () pubnix net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 05/01/13 06:42, Jeff Wheeler wrote:
> On Tue, Apr 30, 2013 at 8:35 PM, Jared Mauch <jared () puck nether net> wrote:
> > Please provide advice and insights as well as directing customers to the openresolverproject.org website. We want to 
> > close these down, if you need an accurate list of IPs in your ASN, please email me and I can give you very accurate 
> > data.
> I think that a public list of open-resolvers is probably overdue, and
> the only way to get them fixed.
>
> It is trivial to scan the entire IPv4 address space for DNS servers
> that do no throttling even without the resources of a malicious
> botnet.
>
> Smurf was only "fixed" because, as there were fewer networks not
> running `no ip directed-broadcast,` the remaining amplification
> sources were flooded with huge amounts of malicious traffic.  The
> public list of smurf amplifiers turned out to be the only way to
> really deal with it.  I predict the same will be true with DNS.