[162731] in North American Network Operators' Group
Re: Mitigating DNS amplification attacks
daemon@ATHENA.MIT.EDU (Thomas St-Pierre)
Tue Apr 30 20:42:17 2013
X-Barracuda-Envelope-From: tstpierre@iweb.com
From: Thomas St-Pierre <tstpierre@iweb.com>
To: Damian Menscher <damian@google.com>
Date: Wed, 1 May 2013 00:42:06 +0000
In-Reply-To: <CABSP1OcQvPTy_vgPNdA5ZoSewap2hLrZ1NCbi21nuLLP4kkeyw@mail.gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi Damian!
We offer a DNS hosted solution, most people still use their own servers tho=
ugh. (especially those with control panels such as cPanel or plesk, where i=
t's built-in).
As for BCP38, I would love to stop the spoofed packets, however with them c=
oming from our upstreams, (Level3, Cogent, Tata, etc) I don't see how we ca=
n.
Thanks!,
Thomas
From: Damian Menscher <damian@google.com<mailto:damian@google.com>>
Date: Tuesday, 30 April, 2013 8:32 PM
To: "Thomas St.Pierre" <tstpierre@iweb.com<mailto:tstpierre@iweb.com>>
Cc: "Dobbins, Roland" <rdobbins@arbor.net<mailto:rdobbins@arbor.net>>, NANO=
G list <nanog@nanog.org<mailto:nanog@nanog.org>>
Subject: Re: Mitigating DNS amplification attacks
On Tue, Apr 30, 2013 at 5:28 PM, Thomas St-Pierre <tstpierre@iweb.com<mailt=
o:tstpierre@iweb.com>> wrote:
On 13-04-30 7:57 PM, "Dobbins, Roland" <rdobbins@arbor.net<mailto:rdobbins@=
arbor.net>> wrote:
>On May 1, 2013, at 6:43 AM, Thomas St-Pierre wrote:
>
>> We've been sending emails to our clients but as the servers are not
>>managed by us, there's not much we can do at that level.
>
>Sure, there is - shut them down if they don't comply. Most ISPs have AUP
>verbiage which would apply to a situation of this type.
Unfortunately I somehow doubt management is going to look favourably on a
request to shut down so many clients. :( The large majority of the servers
being used in the attacks are not open resolvers. Just DNS servers that
are authoritative for a few domains, and the default config of the dns
application does referrals to root for anything else.
Offering a DNS service to your customers may allow you to provide a good al=
ternative to push those customers onto. You can then manage it properly.
But I think DNS isn't the real issue here, it's the fact you're receiving s=
poofed traffic. I'd start by tracking the attacks backwards through your u=
pstreams, as obviously someone in the path isn't enforcing BCP 38. Stop th=
e spoof capability and the attacks will stop. It requires less effort over=
all (vs your counterparts at every hosting provider needing to solve the pr=
oblem for their networks) and provides the best benefit to the victims.
Damian
