[c-nsp] DNS amplification
David Rothera
david.rothera at gmail.com
Sat Mar 16 18:30:41 EDT 2013
Depends on whether you want to defeat being the person being attacked or
the person being "tricked" into being the person doing the amplification
attack.
For stopping being attacked without taking services from your upstream
provider the only thing you can do really is police DNS traffic as uRPF
isn't going to be of much help as it will generally be coming from the
correct ingress interface.
As far as stopping being the attacker as others have said use uRPF and
limit your resolvers to only allow access from hosts within your own AS.
David
On Saturday, March 16, 2013, harbor235 wrote:
> Can anyone provide insight into how to defeat DNS amplification attacks?
>
>
> thanks,
>
> Mike
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net <javascript:;>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
David Rothera
More information about the cisco-nsp
mailing list