nanog mailing list archives
Re: strategies to mitigate DNS amplification attacks in ISP network
From: "Roland Dobbins" <rdobbins () arbor net>
Date: Wed, 02 Dec 2015 00:14:21 +0700
On 1 Dec 2015, at 23:59, Martin T wrote:
What are the common practices to mitigate DNS amplification attacks in ISP network?
Situationally-appropriate network access policies instantiated as ACLs on hardware-based routers/layer-3 switches in IDCs, on customer aggregation routers, in mitigation centers, etc.
S/RTBH. flowspec. IDMS (full disclosure, I work for a vendor of such systems). See this .pdf preso: <https://app.box.com/s/r7an1moswtc7ce58f8gg> Statefulness is out, as you indicate.QoS is out, as you indicated (e.g., legitimate traffic is 'crowded out' by programmatically-generated attack traffic).
The real solution to this entire problem set is source-address validation, as you indicate. Until the happy day when we've achieved universal source-address validation arrives, various combinations of the above.
----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- strategies to mitigate DNS amplification attacks in ISP network Martin T (Dec 01)
- Re: strategies to mitigate DNS amplification attacks in ISP network Roland Dobbins (Dec 01)
- Re: strategies to mitigate DNS amplification attacks in ISP network Roland Dobbins (Dec 01)
- Re: strategies to mitigate DNS amplification attacks in ISP network Stepan Kucherenko (Dec 02)
- Re: strategies to mitigate DNS amplification attacks in ISP network William Herrin (Dec 01)
- RE: strategies to mitigate DNS amplification attacks in ISP network Michael Hare (Dec 01)
- Re: strategies to mitigate DNS amplification attacks in ISP network Mark Andrews (Dec 01)
- Re: strategies to mitigate DNS amplification attacks in ISP network Karsten Elfenbein (Dec 02)
- Re: strategies to mitigate DNS amplification attacks in ISP network Roland Dobbins (Dec 01)