On 1 Dec 2015, at 23:59, Martin T wrote:
What are the common practices to mitigate
DNS amplification attacks in ISP network?
Situationally-appropriate network access policies instantiated as ACLs
on hardware-based routers/layer-3 switches in IDCs, on customer
aggregation routers, in mitigation centers, etc.
S/RTBH.
flowspec.
IDMS (full disclosure, I work for a vendor of such systems).
See this .pdf preso:
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
Statefulness is out, as you indicate.
QoS is out, as you indicated (e.g., legitimate traffic is 'crowded out'
by programmatically-generated attack traffic).
The real solution to this entire problem set is source-address
validation, as you indicate. Until the happy day when we've achieved
universal source-address validation arrives, various combinations of the
above.
-----------------------------------
Roland Dobbins <rdobb...@arbor.net>
