Mitigating DNS amplification attacks

Jeff Wheeler jsw at inconcepts.biz
Wed May 1 10:42:32 UTC 2013


On Tue, Apr 30, 2013 at 8:35 PM, Jared Mauch <jared at puck.nether.net> wrote:
> Please provide advice and insights as well as directing customers to the openresolverproject.org website. We want to close these down, if you need an accurate list of IPs in your ASN, please email me and I can give you very accurate data.

I think that a public list of open-resolvers is probably overdue, and
the only way to get them fixed.

It is trivial to scan the entire IPv4 address space for DNS servers
that do no throttling even without the resources of a malicious
botnet.

Smurf was only "fixed" because, as there were fewer networks not
running `no ip directed-broadcast,` the remaining amplification
sources were flooded with huge amounts of malicious traffic.  The
public list of smurf amplifiers turned out to be the only way to
really deal with it.  I predict the same will be true with DNS.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts




More information about the NANOG mailing list