[c-nsp] DNS amplification
Jon Lewis
jlewis at lewis.org
Sat Mar 16 18:24:00 EDT 2013
On Sat, 16 Mar 2013, Robert Joosten wrote:
> Hi,
>
>>> Can anyone provide insight into how to defeat DNS amplification attacks?
>> Restrict resolvers to your customer networks.
>
> And deploy RPF
uRPF / BCP38 is really the only solution. Even if we did close all the
open recursion DNS servers (which is a good idea), the attackers would
just shift to another protocol/service that provides amplification of
traffic and can be aimed via spoofed source address packets. Going after
DNS is playing whack-a-mole. DNS is the hip one right now. It's not the
only one available.
Many networks will say "but our gear doesn't do uRPF, and maintaining an
ACL on every customer port is too hard / doesn't scale."
Consider an alternative solution. On a typical small ISP / small service
provider network, if you were to ACL every customer (because your gear
won't do uRPF), you might need hundreds or even thousands of ACLs.
However, if you were to put output filters on your transit connections,
allowing traffic sourced from all IP networks "valid" inside your network,
you might find that all you need is a single ACL of a handful to several
dozen entries. Having one ACL to maintain that only needs changing if you
get a new IP allocation or add/remove a customer who has their own IPs
really isn't all that difficult. As far at the rest of the internet is
concerned, this solves the issue of spoofed IP packets leaving your
network.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list