Hi,
as around 40% of ASNs allow at least partial IPv4 address spoofing in
their network(http://spoofer.csail.mit.edu/summary.php) and there are
around 30 million open-resolvers(http://openresolverproject.org/) in
the Internet, then DNS amplification traffic is daily occasion for
ISPs. This in probably mainly because RPF checks and DNS
RRL(https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-…
are not ubiquitously implemented, recursive requests without any ACLs
in DNS servers are often allowed, it requires little effort from
attackers point of view and is effective attack method. Unfortunately,
there seems to be very limited number of countermeasures for ISPs. Few
which I can think of:
1) higher capacity backbone links - I'm not sure if this can be
considered a mitigation method, but at least it can help to affect
smaller amount of customers if traffic volumes are not very high
2) rate-limit incoming DNS traffic flows on peering and uplink ports -
here I mean something similar to iptables "recent"
module(http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HO…
which allows certain number of certain type of packets in a configured
time-slot per IP. However, such functionality is probably not common
on edge or backbone routers.
Tracking the packet state does definitely not work because state table
should be synchronized between all the routers in the network and
again, this requires Internet-routers to have stateful firewall
functionality. In addition, one also needs to allow new DNS
connections from Internet to its network.
If one simply polices incoming DNS traffic on uplink and peering
ports(for example if baseline DNS traffic is 5Mbps, then policer is
set to 50Mbps), then legitimate customers DNS traffic is also affected
in case of actual attack occurs and policer starts to drop DNS
traffic, i.e. policer has no way to distinguish between the legitimate
and non-legitimate incoming DNS traffic.
Am I wrong in some points? What are the common practices to mitigate
DNS amplification attacks in ISP network?
thanks,
Martin
--- nanog(a)nanog.org wrote:
From: ABDUL AWAL via NANOG <nanog(a)nanog.org>
http://bdnews24.com/bangladesh/2015/11/29/proxy-servers-to-access-facebook-…
---------------------------------
Hahaha, gov't official - meet reality.
"State Minister for Posts and Telecommunications Tarana
Halim says proxy servers being used..."
""I think Facebook can't be closed unless the internet
is shut down. We don't want to do that. We won't shut
down the internet," said Tarana Halim."
"We are only catching only those that need to be caught,
not everyone."
"I ask you (journalists) to find out whether it's possible
or not. I hope you will find the answer. Closing down
Facebook 100 percent is not possible in any country in the
world"
Or any other app a gov't wants to keep from its citizenry
so their communications with others can be controlled.
"Those who are using them are using a bandwidth with
a specific capacity. They won't be able to do that
much longer. Because this bandwidth's capacity is low."
"The second bandwidth's speed is far lower than normal.
Saboteurs can't communicate and organise attacks fast
enough using that bandwidth. It's very easy to track
(anyone's internet activity) if the speed is low.""
wtf does that even mean?
scott
If you've done one, please ping me off-list? Got a few clarifications that
the RFC doesn't go deep enough in the right places for.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra(a)baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
---------------------------------------------
Md. abdullah Al naser mail.naserbd at yahoo.com
Wed Nov 18 12:56:15 BDT 2015
The service of Facebook, Viber and Whatsapp are
blocked from now till further notice. It has been
ordered by Begum Tarana Halim, State Minister, Post
and Telecommunications.
----------------------------------------------
I just saw this on BdNOG and thought it might be
interesting to others here and where some of the
internet is headed...
Wow, all of these govt's just can't seem to deal
with not being able to completely control *everything*
about the populace.
So, in Bangladesh, no communicating with your social
peers, no free calls, text or picture sharing and no
mobile messaging. The new State Minister for Post
and Telecommunications in Bangladesh wants her money.
It'd be interesting to hear how they're attempting
to make it happen.
scott
