[186136] in North American Network Operators' Group
Re: strategies to mitigate DNS amplification attacks in ISP network
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Tue Dec 1 12:14:28 2015
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: nanog@nanog.org
Date: Wed, 02 Dec 2015 00:14:21 +0700
In-Reply-To: <CAJx5YvFt7-OVuCdzgs6fS+7PdCBKrj9O=qw6V9GSuqNYFSYO_Q@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On 1 Dec 2015, at 23:59, Martin T wrote:
> What are the common practices to mitigate
> DNS amplification attacks in ISP network?
Situationally-appropriate network access policies instantiated as ACLs
on hardware-based routers/layer-3 switches in IDCs, on customer
aggregation routers, in mitigation centers, etc.
S/RTBH.
flowspec.
IDMS (full disclosure, I work for a vendor of such systems).
See this .pdf preso:
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
Statefulness is out, as you indicate.
QoS is out, as you indicated (e.g., legitimate traffic is 'crowded out'
by programmatically-generated attack traffic).
The real solution to this entire problem set is source-address
validation, as you indicate. Until the happy day when we've achieved
universal source-address validation arrives, various combinations of the
above.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
