Mitigating DNS amplification attacks

Jared Mauch jared at puck.nether.net
Wed May 1 00:35:18 UTC 2013


Please look at something like rate limiting.

Please look at preventing these spoofed packets from entering your network and report the issue.

Please provide advice and insights as well as directing customers to the openresolverproject.org website. We want to close these down, if you need an accurate list of IPs in your ASN, please email me and I can give you very accurate data.

Thanks!

On Apr 30, 2013, at 7:43 PM, Thomas St-Pierre <tstpierre at iweb.com> wrote:

> Hi!
> 
> I was wondering if anyone had any experience with dealing with open resolvers as a web hoster? We currently have some 40,000 ip's that respond to DNS in our AS, the majority of which are not "open" but do reply with a referral to the root zones. We've been sending emails to our clients but as the servers are not managed by us, there's not much we can do at that level.
> 
> Recently we've seen a large increase in the number and volume of DNS amplification DDOS's that are being reflected off of our AS. Just today we've seen at least 6 different attacks with between 4 and 10gbps leaving our AS each time. It's not really causing us issues at the moment because we have the capacity, but I'd hate to be on the receiving side. (and indeed, have been on the receiving side in the past, so I know how much it can suck)
> 
> Has anyone ever tried mitigating/rate-limiting/etc these attacks in the network before? (vs at the server/application level)
> 
> We have an Arbor peakflow device, but it's not really geared for this scenario I find. It will detect the outgoing attack via the flows, but all we can really do is null-route the victims ip in our AS. Ideally we would need a way to rate-limit DNS packets based on source ip. Maybe a linux box that handles dropping packets from the same source-ip over 1000/sec with some policy-based routing sending the DNS traffic to it? Does such a box exist already?
> 
> If anyone has any ideas or suggestions, then by all means! There must be a better way to do this, and I'd really like to avoid re-inventing the wheel if it's been invented already. :)
> 
> Thanks!
> Thomas



More information about the NANOG mailing list