strategies to mitigate DNS amplification attacks in ISP network

Roland Dobbins rdobbins at
Tue Dec 1 17:14:21 UTC 2015

On 1 Dec 2015, at 23:59, Martin T wrote:

> What are the common practices to mitigate
> DNS amplification attacks in ISP network?

Situationally-appropriate network access policies instantiated as ACLs 
on hardware-based routers/layer-3 switches in IDCs, on customer 
aggregation routers, in mitigation centers, etc.



IDMS (full disclosure, I work for a vendor of such systems).

See this .pdf preso:


Statefulness is out, as you indicate.

QoS is out, as you indicated (e.g., legitimate traffic is 'crowded out' 
by programmatically-generated attack traffic).

The real solution to this entire problem set is source-address 
validation, as you indicate.  Until the happy day when we've achieved 
universal source-address validation arrives, various combinations of the 

Roland Dobbins <rdobbins at>

More information about the NANOG mailing list