yes - and it presumes your DNS servers are based on Linux and use IPTables.
http://www.cryptonizer.com/dnsamp.html http://serverfault.com/questions/418810/public-facing-recursive-dns-servers-iptables-rules http://sf-alpha.bjgang.org/wordpress/2013/01/iptables-for-common-dns-amplification-attack-on-recursive-dns-inside-your-network/ these should give you a good idea of how to get started... On Sat, Mar 16, 2013 at 6:24 PM, Jon Lewis <jle...@lewis.org> wrote: > On Sat, 16 Mar 2013, Robert Joosten wrote: > > Hi, >> >> Can anyone provide insight into how to defeat DNS amplification attacks? >>>> >>> Restrict resolvers to your customer networks. >>> >> >> And deploy RPF >> > > uRPF / BCP38 is really the only solution. Even if we did close all the > open recursion DNS servers (which is a good idea), the attackers would just > shift to another protocol/service that provides amplification of traffic > and can be aimed via spoofed source address packets. Going after DNS is > playing whack-a-mole. DNS is the hip one right now. It's not the only one > available. > > Many networks will say "but our gear doesn't do uRPF, and maintaining an > ACL on every customer port is too hard / doesn't scale." > > Consider an alternative solution. On a typical small ISP / small service > provider network, if you were to ACL every customer (because your gear > won't do uRPF), you might need hundreds or even thousands of ACLs. However, > if you were to put output filters on your transit connections, allowing > traffic sourced from all IP networks "valid" inside your network, you might > find that all you need is a single ACL of a handful to several dozen > entries. Having one ACL to maintain that only needs changing if you get a > new IP allocation or add/remove a customer who has their own IPs really > isn't all that difficult. As far at the rest of the internet is concerned, > this solves the issue of spoofed IP packets leaving your network. > > ------------------------------**------------------------------**---------- > Jon Lewis, MCP :) | I route > | therefore you are > _________ > http://www.lewis.org/~jlewis/**pgp<http://www.lewis.org/~jlewis/pgp>for PGP > public key_________ > > -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy
