strategies to mitigate DNS amplification attacks in ISP network

• Previous message (by thread): strategies to mitigate DNS amplification attacks in ISP network
• Next message (by thread): strategies to mitigate DNS amplification attacks in ISP network
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1 Dec 2015, at 23:59, Martin T wrote:

> What are the common practices to mitigate
> DNS amplification attacks in ISP network?

Situationally-appropriate network access policies instantiated as ACLs 
on hardware-based routers/layer-3 switches in IDCs, on customer 
aggregation routers, in mitigation centers, etc.

S/RTBH.

flowspec.

IDMS (full disclosure, I work for a vendor of such systems).

See this .pdf preso:

<https://app.box.com/s/r7an1moswtc7ce58f8gg>

Statefulness is out, as you indicate.

QoS is out, as you indicated (e.g., legitimate traffic is 'crowded out' 
by programmatically-generated attack traffic).

The real solution to this entire problem set is source-address 
validation, as you indicate.  Until the happy day when we've achieved 
universal source-address validation arrives, various combinations of the 
above.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>

• Previous message (by thread): strategies to mitigate DNS amplification attacks in ISP network
• Next message (by thread): strategies to mitigate DNS amplification attacks in ISP network
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]