[j-nsp] Using IDP/AppFW on SRX for preventing DNSSEC Amplification Attacks

Phil Mayers p.mayers at imperial.ac.uk
Fri Sep 14 05:49:55 EDT 2012

On 09/14/2012 09:05 AM, Thomas Eichhorn wrote:

> as I believe most of us have encountered some DNS (DNSSEC)
> amplification attacks, I wonder if any of you had some success
> of stopping these using a SRX device.

I'd be surprised if it was "most of us". But yes, they're getting more 

> Does anyone have some other ideas or maybe even solutions? I have seen
> some implementations on the DNS-server side - but as always, if there is
> some closed source server behind you need to find another way..

Most sites I know of that are dealing with this issue are either using 
OS-level filtering such as ipfw/iptables recipies to rate-limit the 
"ANY" queries, or are runnng "bind" as their authoritative servers and 
using the response rate-limit patchset here:


Whilst the latter stops the reflection attacks, there is some debate 
about whether this helps with the inbound/DNS server load.

Since these are all source-spoofed attacks, I've been encouraging people 
to work with their network and upstream to deal with the root problems - 
source spoofing - either via S/RTBH or better yet by tracking the source 
spoofing across peerings and WHACKING ON THE ISP EMITTING THEM WITH A 

Because honestly - what platform can't do BCP 38 these days?

More information about the juniper-nsp mailing list