Mitigating DNS amplification attacks

Alain Hebert ahebert at pubnix.net
Wed May 1 13:36:41 UTC 2013


    Well,

    I was going more for a public list of ISP that refuse to BCP38 their
networks.

    But that's just me =D

On point: (If your corporation is massive enough)

    Basically:

    . Mirror DST Port 53;
    . Write some software to stats who's spamming the same DST IP with
the same query;
    . Dynamic ACL them;

    then

    . Give a talk to your customers =D
  

-----
Alain Hebert                                ahebert at pubnix.net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 05/01/13 06:42, Jeff Wheeler wrote:
> On Tue, Apr 30, 2013 at 8:35 PM, Jared Mauch <jared at puck.nether.net> wrote:
>> Please provide advice and insights as well as directing customers to the openresolverproject.org website. We want to close these down, if you need an accurate list of IPs in your ASN, please email me and I can give you very accurate data.
> I think that a public list of open-resolvers is probably overdue, and
> the only way to get them fixed.
>
> It is trivial to scan the entire IPv4 address space for DNS servers
> that do no throttling even without the resources of a malicious
> botnet.
>
> Smurf was only "fixed" because, as there were fewer networks not
> running `no ip directed-broadcast,` the remaining amplification
> sources were flooded with huge amounts of malicious traffic.  The
> public list of smurf amplifiers turned out to be the only way to
> really deal with it.  I predict the same will be true with DNS.
>




More information about the NANOG mailing list