On Sep 11, 2014, at 8:42 PM, Peter Andreev <andreev.pe...@gmail.com> wrote:
> I'd like to ask the respected community, how do you detect and protect > against such activity? What we've seen of this particular attack methodology (as you rightly deduced) over the last six months or so indicates that the placement of the prefix is consistent, as is the size. So, if you have the ability to perform regexp-type filtering on the queries you receive on ingress, that's one possible answer (unless/until the attack using/creating this particular attack script changes things up). FYI, most of these queries seem to be reflected through abusable CPE devices which are misconfigured by default as open recursors or DNS forwarders. It may be worth considering investigating, and if this proves to be the case, blacklisting those netblocks and contacting the operator(s) in question in order to ask them to remediate the nodes in question (this could all be scripted, along with a periodic check which would remove the blacklisting once remediation occurs). ----------------------------------- Roland Dobbins <rdobb...@arbor.net> _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
