[c-nsp] DNS amplification
Jon Lewis
jlewis at lewis.org
Sat Mar 16 19:03:47 EDT 2013
uRPF stops your network from initiating such attacks.
Closing down your open recursive DNS servers stops you from being used /
participating in the attacks.
Other than having infinite bandwidth capacity, there's not much you can do
to defend against being attacked by a DNS amplification attack.
On Sat, 16 Mar 2013, Laurent Geyer wrote:
> Curious, how does uRPF help under this scenario? Although the source address is spoofed, the target is stil valid destination address.
> ÿÿ
> Laurent
>
> On Sat, Mar 16, 2013 at 6:38 PM, David Rothera <david.rothera at gmail.com>
> wrote:
>
>> Depends on whether you want to defeat being the person being attacked or
>> the person being "tricked" into being the person doing the amplification
>> attack.
>> For stopping being attacked without taking services from your upstream
>> provider the only thing you can do really is police DNS traffic as uRPF
>> isn't going to be of much help as it will generally be coming from the
>> correct ingress interface.
>> As far as stopping being the attacker as others have said use uRPF and
>> limit your resolvers to only allow access from hosts within your own AS.
>> David
>> On Saturday, March 16, 2013, harbor235 wrote:
>>> Can anyone provide insight into how to defeat DNS amplification attacks?
>>>
>>>
>>> thanks,
>>>
>>> Mike
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net <javascript:;>
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> --
>> David Rothera
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list