[162726] in North American Network Operators' Group
Mitigating DNS amplification attacks
daemon@ATHENA.MIT.EDU (Thomas St-Pierre)
Tue Apr 30 19:44:32 2013
X-Barracuda-Envelope-From: tstpierre@iweb.com
From: Thomas St-Pierre <tstpierre@iweb.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Tue, 30 Apr 2013 23:43:18 +0000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi!
I was wondering if anyone had any experience with dealing with open resolve=
rs as a web hoster? We currently have some 40,000 ip's that respond to DNS =
in our AS, the majority of which are not "open" but do reply with a referra=
l to the root zones. We've been sending emails to our clients but as the se=
rvers are not managed by us, there's not much we can do at that level.
Recently we've seen a large increase in the number and volume of DNS amplif=
ication DDOS's that are being reflected off of our AS. Just today we've see=
n at least 6 different attacks with between 4 and 10gbps leaving our AS eac=
h time. It's not really causing us issues at the moment because we have the=
capacity, but I'd hate to be on the receiving side. (and indeed, have been=
on the receiving side in the past, so I know how much it can suck)
Has anyone ever tried mitigating/rate-limiting/etc these attacks in the net=
work before? (vs at the server/application level)
We have an Arbor peakflow device, but it's not really geared for this scena=
rio I find. It will detect the outgoing attack via the flows, but all we ca=
n really do is null-route the victims ip in our AS. Ideally we would need a=
way to rate-limit DNS packets based on source ip. Maybe a linux box that h=
andles dropping packets from the same source-ip over 1000/sec with some pol=
icy-based routing sending the DNS traffic to it? Does such a box exist alre=
ady?
If anyone has any ideas or suggestions, then by all means! There must be a =
better way to do this, and I'd really like to avoid re-inventing the wheel =
if it's been invented already. :)
Thanks!
Thomas
