[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[c-nsp] DNS amplification

yes - and it presumes your DNS servers are based on Linux and use IPTables.




these should give you a good idea of how to get started...

On Sat, Mar 16, 2013 at 6:24 PM, Jon Lewis <jlewis at lewis.org> wrote:

> On Sat, 16 Mar 2013, Robert Joosten wrote:
>  Hi,
>>  Can anyone provide insight into how to defeat DNS amplification attacks?
>>> Restrict resolvers to your customer networks.
>> And deploy RPF
> uRPF / BCP38 is really the only solution.  Even if we did close all the
> open recursion DNS servers (which is a good idea), the attackers would just
> shift to another protocol/service that provides amplification of traffic
> and can be aimed via spoofed source address packets.  Going after DNS is
> playing whack-a-mole.  DNS is the hip one right now.  It's not the only one
> available.
> Many networks will say "but our gear doesn't do uRPF, and maintaining an
> ACL on every customer port is too hard / doesn't scale."
> Consider an alternative solution.  On a typical small ISP / small service
> provider network, if you were to ACL every customer (because your gear
> won't do uRPF), you might need hundreds or even thousands of ACLs. However,
> if you were to put output filters on your transit connections, allowing
> traffic sourced from all IP networks "valid" inside your network, you might
> find that all you need is a single ACL of a handful to several dozen
> entries.  Having one ACL to maintain that only needs changing if you get a
> new IP allocation or add/remove a customer who has their own IPs really
> isn't all that difficult.  As far at the rest of the internet is concerned,
> this solves the issue of spoofed IP packets leaving your network.
> ------------------------------**------------------------------**----------
>  Jon Lewis, MCP :)           |  I route
>                              |  therefore you are
> _________ http://www.lewis.org/~jlewis/**pgp<http://www.lewis.org/~jlewis/pgp>for PGP public key_________

To him who is able to keep you from falling and to present you before his
glorious presence without fault and with great joy