[162730] in North American Network Operators' Group
Re: Mitigating DNS amplification attacks
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Apr 30 20:35:57 2013
In-Reply-To: <CDA5CF54.10D9A%tstpierre@iweb.com>
From: Jared Mauch <jared@puck.nether.net>
Date: Tue, 30 Apr 2013 20:35:18 -0400
To: Thomas St-Pierre <tstpierre@iweb.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Please look at something like rate limiting.
Please look at preventing these spoofed packets from entering your network a=
nd report the issue.
Please provide advice and insights as well as directing customers to the ope=
nresolverproject.org website. We want to close these down, if you need an ac=
curate list of IPs in your ASN, please email me and I can give you very accu=
rate data.
Thanks!
On Apr 30, 2013, at 7:43 PM, Thomas St-Pierre <tstpierre@iweb.com> wrote:
> Hi!
>=20
> I was wondering if anyone had any experience with dealing with open resolv=
ers as a web hoster? We currently have some 40,000 ip's that respond to DNS i=
n our AS, the majority of which are not "open" but do reply with a referral t=
o the root zones. We've been sending emails to our clients but as the server=
s are not managed by us, there's not much we can do at that level.
>=20
> Recently we've seen a large increase in the number and volume of DNS ampli=
fication DDOS's that are being reflected off of our AS. Just today we've see=
n at least 6 different attacks with between 4 and 10gbps leaving our AS each=
time. It's not really causing us issues at the moment because we have the c=
apacity, but I'd hate to be on the receiving side. (and indeed, have been on=
the receiving side in the past, so I know how much it can suck)
>=20
> Has anyone ever tried mitigating/rate-limiting/etc these attacks in the ne=
twork before? (vs at the server/application level)
>=20
> We have an Arbor peakflow device, but it's not really geared for this scen=
ario I find. It will detect the outgoing attack via the flows, but all we ca=
n really do is null-route the victims ip in our AS. Ideally we would need a w=
ay to rate-limit DNS packets based on source ip. Maybe a linux box that hand=
les dropping packets from the same source-ip over 1000/sec with some policy-=
based routing sending the DNS traffic to it? Does such a box exist already?
>=20
> If anyone has any ideas or suggestions, then by all means! There must be a=
better way to do this, and I'd really like to avoid re-inventing the wheel i=
f it's been invented already. :)
>=20
> Thanks!
> Thomas
