strategies to mitigate DNS amplification attacks in ISP network

William Herrin bill at herrin.us
Tue Dec 1 18:35:16 UTC 2015


On Tue, Dec 1, 2015 at 11:59 AM, Martin T <m4rtntns at gmail.com> wrote:
> Am I wrong in some points? What are the common practices to mitigate
> DNS amplification attacks in ISP network?

Hi Martin,

You seem to be focused on DNS amplification from the perspective of
the attack's target. To the target, it's just another DDOS attack. As
with other DDOS attacks, you reroute the contained /24 to a DDOS
mitigator who specializes in removing unwanted packets from the data
stream and passing the rest to your network via a tunnel. The
mitigator writes custom software on expensive server arrays which
figure out the attack de jour signatures and scrub the packet flows.

Some folks rate-limit UDP flows. This just kills everything sooner
during an attack since you kinda need DNS to work.

Rate limiting by source turns your DNS requests stateful... a happy
fun way to shoot yourself in the foot.

Really, your best bet is to treat it as just another DDOS and let the
guy you pay for DDOS service handle the details.

Regards,
Bill Herrin


-- 
William Herrin ................ herrin at dirtside.com  bill at herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>



More information about the NANOG mailing list