strategies to mitigate DNS amplification attacks in ISP network

Karsten Elfenbein karsten.elfenbein at
Wed Dec 2 08:24:42 UTC 2015


depends on the type of ISP you are and the bandwidth used in the attack.

If most attacks are targeted for then you could design
your net so that is just a TCP service VIP that never
needs any UDP. This would make it possible to place simple ACL on your
edge to get rid of most stuff.
Yes there are people that know how to correctly DDOS but most just
give up after there attack traffic never affects the service.

If the bandwidth exceeds your transit/peering capacity you need to
filter/blackhole it upstream. You can also isolate the prefix under
attack to a single transit or a DDOS mitigation service to prevent the
other prefixes from being impacted.

Other useful stuff is a flow based traffic analysis tool to get
details about the attack.


2015-12-01 17:59 GMT+01:00 Martin T <m4rtntns at>:
> Hi,
> as around 40% of ASNs allow at least partial IPv4 address spoofing in
> their network( and there are
> around 30 million open-resolvers( in
> the Internet, then DNS amplification traffic is daily occasion for
> ISPs. This in probably mainly because RPF checks and DNS
> RRL(
> are not ubiquitously implemented, recursive requests without any ACLs
> in DNS servers are often allowed, it requires little effort from
> attackers point of view and is effective attack method. Unfortunately,
> there seems to be very limited number of countermeasures for ISPs. Few
> which I can think of:
> 1) higher capacity backbone links - I'm not sure if this can be
> considered a mitigation method, but at least it can help to affect
> smaller amount of customers if traffic volumes are not very high
> 2) rate-limit incoming DNS traffic flows on peering and uplink ports -
> here I mean something similar to iptables "recent"
> module(
> which allows certain number of certain type of packets in a configured
> time-slot per IP. However, such functionality is probably not common
> on edge or backbone routers.
> Tracking the packet state does definitely not work because state table
> should be synchronized between all the routers in the network and
> again, this requires Internet-routers to have stateful firewall
> functionality. In addition, one also needs to allow new DNS
> connections from Internet to its network.
> If one simply polices incoming DNS traffic on uplink and peering
> ports(for example if baseline DNS traffic is 5Mbps, then policer is
> set to 50Mbps), then legitimate customers DNS traffic is also affected
> in case of actual attack occurs and policer starts to drop DNS
> traffic, i.e. policer has no way to distinguish between the legitimate
> and non-legitimate incoming DNS traffic.
> Am I wrong in some points? What are the common practices to mitigate
> DNS amplification attacks in ISP network?
> thanks,
> Martin

More information about the NANOG mailing list