strategies to mitigate DNS amplification attacks in ISP network
rdobbins at arbor.net
Tue Dec 1 17:14:21 UTC 2015
On 1 Dec 2015, at 23:59, Martin T wrote:
> What are the common practices to mitigate
> DNS amplification attacks in ISP network?
Situationally-appropriate network access policies instantiated as ACLs
on hardware-based routers/layer-3 switches in IDCs, on customer
aggregation routers, in mitigation centers, etc.
IDMS (full disclosure, I work for a vendor of such systems).
See this .pdf preso:
Statefulness is out, as you indicate.
QoS is out, as you indicated (e.g., legitimate traffic is 'crowded out'
by programmatically-generated attack traffic).
The real solution to this entire problem set is source-address
validation, as you indicate. Until the happy day when we've achieved
universal source-address validation arrives, various combinations of the
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG