[c-nsp] DNS amplification

Jon Lewis jlewis at lewis.org
Sat Mar 16 22:24:00 UTC 2013


On Sat, 16 Mar 2013, Robert Joosten wrote:

> Hi,
>
>>> Can anyone provide insight into how to defeat DNS amplification attacks?
>> Restrict resolvers to your customer networks.
>
> And deploy RPF

uRPF / BCP38 is really the only solution.  Even if we did close all the 
open recursion DNS servers (which is a good idea), the attackers would 
just shift to another protocol/service that provides amplification of 
traffic and can be aimed via spoofed source address packets.  Going after 
DNS is playing whack-a-mole.  DNS is the hip one right now.  It's not the 
only one available.

Many networks will say "but our gear doesn't do uRPF, and maintaining an 
ACL on every customer port is too hard / doesn't scale."

Consider an alternative solution.  On a typical small ISP / small service 
provider network, if you were to ACL every customer (because your gear 
won't do uRPF), you might need hundreds or even thousands of ACLs. 
However, if you were to put output filters on your transit connections, 
allowing traffic sourced from all IP networks "valid" inside your network, 
you might find that all you need is a single ACL of a handful to several 
dozen entries.  Having one ACL to maintain that only needs changing if you 
get a new IP allocation or add/remove a customer who has their own IPs 
really isn't all that difficult.  As far at the rest of the internet is 
concerned, this solves the issue of spoofed IP packets leaving your 
network.

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




More information about the NANOG mailing list