nanog mailing list archives
Re: strategies to mitigate DNS amplification attacks in ISP network
From: William Herrin <bill () herrin us>
Date: Tue, 1 Dec 2015 13:35:16 -0500
On Tue, Dec 1, 2015 at 11:59 AM, Martin T <m4rtntns () gmail com> wrote:
Am I wrong in some points? What are the common practices to mitigate DNS amplification attacks in ISP network?
Hi Martin, You seem to be focused on DNS amplification from the perspective of the attack's target. To the target, it's just another DDOS attack. As with other DDOS attacks, you reroute the contained /24 to a DDOS mitigator who specializes in removing unwanted packets from the data stream and passing the rest to your network via a tunnel. The mitigator writes custom software on expensive server arrays which figure out the attack de jour signatures and scrub the packet flows. Some folks rate-limit UDP flows. This just kills everything sooner during an attack since you kinda need DNS to work. Rate limiting by source turns your DNS requests stateful... a happy fun way to shoot yourself in the foot. Really, your best bet is to treat it as just another DDOS and let the guy you pay for DDOS service handle the details. Regards, Bill Herrin -- William Herrin ................ herrin () dirtside com bill () herrin us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Current thread:
- strategies to mitigate DNS amplification attacks in ISP network Martin T (Dec 01)
- Re: strategies to mitigate DNS amplification attacks in ISP network Roland Dobbins (Dec 01)
- Re: strategies to mitigate DNS amplification attacks in ISP network Roland Dobbins (Dec 01)
- Re: strategies to mitigate DNS amplification attacks in ISP network Stepan Kucherenko (Dec 02)
- Re: strategies to mitigate DNS amplification attacks in ISP network William Herrin (Dec 01)
- RE: strategies to mitigate DNS amplification attacks in ISP network Michael Hare (Dec 01)
- Re: strategies to mitigate DNS amplification attacks in ISP network Mark Andrews (Dec 01)
- Re: strategies to mitigate DNS amplification attacks in ISP network Karsten Elfenbein (Dec 02)
- Re: strategies to mitigate DNS amplification attacks in ISP network Roland Dobbins (Dec 01)