[162729] in North American Network Operators' Group
Re: Mitigating DNS amplification attacks
daemon@ATHENA.MIT.EDU (Damian Menscher)
Tue Apr 30 20:33:19 2013
In-Reply-To: <CDA5D62D.10DBD%tstpierre@iweb.com>
From: Damian Menscher <damian@google.com>
Date: Tue, 30 Apr 2013 17:32:44 -0700
To: Thomas St-Pierre <tstpierre@iweb.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Apr 30, 2013 at 5:28 PM, Thomas St-Pierre <tstpierre@iweb.com>wrote:
> On 13-04-30 7:57 PM, "Dobbins, Roland" <rdobbins@arbor.net> wrote:
> >On May 1, 2013, at 6:43 AM, Thomas St-Pierre wrote:
> >
> >> We've been sending emails to our clients but as the servers are not
> >>managed by us, there's not much we can do at that level.
> >
> >Sure, there is - shut them down if they don't comply. Most ISPs have AUP
> >verbiage which would apply to a situation of this type.
>
> Unfortunately I somehow doubt management is going to look favourably on a
> request to shut down so many clients. :( The large majority of the servers
> being used in the attacks are not open resolvers. Just DNS servers that
> are authoritative for a few domains, and the default config of the dns
> application does referrals to root for anything else.
Offering a DNS service to your customers may allow you to provide a good
alternative to push those customers onto. You can then manage it properly.
But I think DNS isn't the real issue here, it's the fact you're receiving
spoofed traffic. I'd start by tracking the attacks backwards through your
upstreams, as obviously someone in the path isn't enforcing BCP 38. Stop
the spoof capability and the attacks will stop. It requires less effort
overall (vs your counterparts at every hosting provider needing to solve
the problem for their networks) and provides the best benefit to the
victims.
Damian
