[162727] in North American Network Operators' Group
Re: Mitigating DNS amplification attacks
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Tue Apr 30 19:57:50 2013
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Tue, 30 Apr 2013 23:57:38 +0000
In-Reply-To: <CDA5CF54.10D9A%tstpierre@iweb.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On May 1, 2013, at 6:43 AM, Thomas St-Pierre wrote:
> We've been sending emails to our clients but as the servers are not mana=
ged by us, there's not much we can do at that level.
Sure, there is - shut them down if they don't comply. Most ISPs have AUP v=
erbiage which would apply to a situation of this type.
> Has anyone ever tried mitigating/rate-limiting/etc these attacks in the n=
etwork before? (vs at the server/application level)
QoS doesn't work, as the programmatically-generated attack traffic 'crowds =
out' legitimate requests.
> We have an Arbor peakflow device, but it's not really geared for this sce=
nario I find.
Peakflow SP is a NetFlow-based anomaly-detection system which performs atta=
ck detection/classification/traceback. Please feel free to ping me offlist=
about additional system elements which perform attack mitigation.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
