nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: strategies to mitigate DNS amplification attacks in ISP network

From: William Herrin <bill () herrin us>
Date: Tue, 1 Dec 2015 13:35:16 -0500
On Tue, Dec 1, 2015 at 11:59 AM, Martin T <m4rtntns () gmail com> wrote:

Am I wrong in some points? What are the common practices to mitigate
DNS amplification attacks in ISP network?


Hi Martin,

You seem to be focused on DNS amplification from the perspective of
the attack's target. To the target, it's just another DDOS attack. As
with other DDOS attacks, you reroute the contained /24 to a DDOS
mitigator who specializes in removing unwanted packets from the data
stream and passing the rest to your network via a tunnel. The
mitigator writes custom software on expensive server arrays which
figure out the attack de jour signatures and scrub the packet flows.

Some folks rate-limit UDP flows. This just kills everything sooner
during an attack since you kinda need DNS to work.

Rate limiting by source turns your DNS requests stateful... a happy
fun way to shoot yourself in the foot.

Really, your best bet is to treat it as just another DDOS and let the
guy you pay for DDOS service handle the details.

Regards,
Bill Herrin


-- 
William Herrin ................ herrin () dirtside com  bill () herrin us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Previous By Date Next
Previous By Thread Next

Current thread: