strategies to mitigate DNS amplification attacks in ISP network

William Herrin bill at
Tue Dec 1 18:35:16 UTC 2015

On Tue, Dec 1, 2015 at 11:59 AM, Martin T <m4rtntns at> wrote:
> Am I wrong in some points? What are the common practices to mitigate
> DNS amplification attacks in ISP network?

Hi Martin,

You seem to be focused on DNS amplification from the perspective of
the attack's target. To the target, it's just another DDOS attack. As
with other DDOS attacks, you reroute the contained /24 to a DDOS
mitigator who specializes in removing unwanted packets from the data
stream and passing the rest to your network via a tunnel. The
mitigator writes custom software on expensive server arrays which
figure out the attack de jour signatures and scrub the packet flows.

Some folks rate-limit UDP flows. This just kills everything sooner
during an attack since you kinda need DNS to work.

Rate limiting by source turns your DNS requests stateful... a happy
fun way to shoot yourself in the foot.

Really, your best bet is to treat it as just another DDOS and let the
guy you pay for DDOS service handle the details.

Bill Herrin

William Herrin ................ herrin at  bill at
Owner, Dirtside Systems ......... Web: <>

More information about the NANOG mailing list