Mitigating DNS amplification attacks

Dobbins, Roland rdobbins at arbor.net
Tue Apr 30 23:57:38 UTC 2013


On May 1, 2013, at 6:43 AM, Thomas St-Pierre wrote:

>  We've been sending emails to our clients but as the servers are not managed by us, there's not much we can do at that level.

Sure, there is - shut them down if they don't comply.  Most ISPs have AUP verbiage which would apply to a situation of this type.

> Has anyone ever tried mitigating/rate-limiting/etc these attacks in the network before? (vs at the server/application level)

QoS doesn't work, as the programmatically-generated attack traffic 'crowds out' legitimate requests.

> We have an Arbor peakflow device, but it's not really geared for this scenario I find.

Peakflow SP is a NetFlow-based anomaly-detection system which performs attack detection/classification/traceback.  Please feel free to ping me offlist about additional system elements which perform attack mitigation.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton





More information about the NANOG mailing list