Re: strategies to mitigate DNS amplification attacks in ISP network

2015-12-02 Thread Stepan Kucherenko
flowspec. Probably the best method if you have competent engineers and uplinks who can give you bgp flowspec. Makes bandwitdh attacks amusing instead of annoying.

Re: strategies to mitigate DNS amplification attacks in ISP network

2015-12-02 Thread Karsten Elfenbein
Hi, depends on the type of ISP you are and the bandwidth used in the attack. If most attacks are targeted for www.example.com then you could design your net so that www.example.com is just a TCP service VIP that never needs any UDP. This would make it possible to place simple ACL on your edge to

Re: strategies to mitigate DNS amplification attacks in ISP network

2015-12-01 Thread Mark Andrews
Message- > > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Martin T > > > Sent: Tuesday, December 01, 2015 11:00 AM > > > To: nanog@nanog.org > > > Subject: strategies to mitigate DNS amplification attacks in ISP network > > > > >

RE: strategies to mitigate DNS amplification attacks in ISP network

2015-12-01 Thread Michael Hare
-Michael > > -Original Message- > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Martin T > > Sent: Tuesday, December 01, 2015 11:00 AM > > To: nanog@nanog.org > > Subject: strategies to mitigate DNS amplification attacks in ISP network > > > > Hi, &g

Re: strategies to mitigate DNS amplification attacks in ISP network

2015-12-01 Thread William Herrin
On Tue, Dec 1, 2015 at 11:59 AM, Martin T wrote: > Am I wrong in some points? What are the common practices to mitigate > DNS amplification attacks in ISP network? Hi Martin, You seem to be focused on DNS amplification from the perspective of the attack's target. To the target, it's just another

Re: strategies to mitigate DNS amplification attacks in ISP network

2015-12-01 Thread Roland Dobbins
On 2 Dec 2015, at 0:14, Roland Dobbins wrote: Until the happy day when we've achieved universal source-address validation arrives, various combinations of the above. I forgot to mention RRL on authoritative servers, apologies. --- Roland Dobbins

Re: strategies to mitigate DNS amplification attacks in ISP network

2015-12-01 Thread Roland Dobbins
On 1 Dec 2015, at 23:59, Martin T wrote: What are the common practices to mitigate DNS amplification attacks in ISP network? Situationally-appropriate network access policies instantiated as ACLs on hardware-based routers/layer-3 switches in IDCs, on customer aggregation routers, in mitigati

strategies to mitigate DNS amplification attacks in ISP network

2015-12-01 Thread Martin T
Hi, as around 40% of ASNs allow at least partial IPv4 address spoofing in their network(http://spoofer.csail.mit.edu/summary.php) and there are around 30 million open-resolvers(http://openresolverproject.org/) in the Internet, then DNS amplification traffic is daily occasion for ISPs. This in prob