[j-nsp] Using IDP/AppFW on SRX for preventing DNSSEC Amplification Attacks
p.mayers at imperial.ac.uk
Fri Sep 14 05:49:55 EDT 2012
On 09/14/2012 09:05 AM, Thomas Eichhorn wrote:
> as I believe most of us have encountered some DNS (DNSSEC)
> amplification attacks, I wonder if any of you had some success
> of stopping these using a SRX device.
I'd be surprised if it was "most of us". But yes, they're getting more
> Does anyone have some other ideas or maybe even solutions? I have seen
> some implementations on the DNS-server side - but as always, if there is
> some closed source server behind you need to find another way..
Most sites I know of that are dealing with this issue are either using
OS-level filtering such as ipfw/iptables recipies to rate-limit the
"ANY" queries, or are runnng "bind" as their authoritative servers and
using the response rate-limit patchset here:
Whilst the latter stops the reflection attacks, there is some debate
about whether this helps with the inbound/DNS server load.
Since these are all source-spoofed attacks, I've been encouraging people
to work with their network and upstream to deal with the root problems -
source spoofing - either via S/RTBH or better yet by tracking the source
spoofing across peerings and WHACKING ON THE ISP EMITTING THEM WITH A
Because honestly - what platform can't do BCP 38 these days?
More information about the juniper-nsp