[155082] in North American Network Operators' Group
Re: DDoS using port 0 and 53 (DNS)
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed Jul 25 12:42:01 2012
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Wed, 25 Jul 2012 16:41:27 +0000
In-Reply-To: <000001cd6a7a$1096b900$31c42b00$@iname.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 25, 2012, at 10:27 PM, Frank Bulk wrote:
> Can netflow _properly_ "capture" whether a packet is a fragment or not?
No.
> If not, does IPFIX address this?
Yes.
But this is all a distraction. We are now down in the weeds.
Your customers were victims of a DNS reflection/amplification attack. The =
issue of fragmentation is moot. The defense methodologies already discusse=
d are how folks typically deal with these attacks. There isn't an ovearchi=
ng network access policy list you can apply at your edges or ask your peers=
/upstreams to apply which will mask them - the optimal approach is to deal =
with them on a case-by-case basis.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
