Hi, depends on the type of ISP you are and the bandwidth used in the attack. If most attacks are targeted for www.example.com then you could design your net so that www.example.com is just a TCP service VIP that never needs any UDP. This would make it possible to place simple ACL on your edge to get rid of most stuff. Yes there are people that know how to correctly DDOS but most just give up after there attack traffic never affects the service. If the bandwidth exceeds your transit/peering capacity you need to filter/blackhole it upstream. You can also isolate the prefix under attack to a single transit or a DDOS mitigation service to prevent the other prefixes from being impacted. Other useful stuff is a flow based traffic analysis tool to get details about the attack. Karsten 2015-12-01 17:59 GMT+01:00 Martin T <m4rtntns@gmail.com>:
Hi,
as around 40% of ASNs allow at least partial IPv4 address spoofing in their network(http://spoofer.csail.mit.edu/summary.php) and there are around 30 million open-resolvers(http://openresolverproject.org/) in the Internet, then DNS amplification traffic is daily occasion for ISPs. This in probably mainly because RPF checks and DNS RRL(https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-...) are not ubiquitously implemented, recursive requests without any ACLs in DNS servers are often allowed, it requires little effort from attackers point of view and is effective attack method. Unfortunately, there seems to be very limited number of countermeasures for ISPs. Few which I can think of:
1) higher capacity backbone links - I'm not sure if this can be considered a mitigation method, but at least it can help to affect smaller amount of customers if traffic volumes are not very high
2) rate-limit incoming DNS traffic flows on peering and uplink ports - here I mean something similar to iptables "recent" module(http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.ht...) which allows certain number of certain type of packets in a configured time-slot per IP. However, such functionality is probably not common on edge or backbone routers.
Tracking the packet state does definitely not work because state table should be synchronized between all the routers in the network and again, this requires Internet-routers to have stateful firewall functionality. In addition, one also needs to allow new DNS connections from Internet to its network. If one simply polices incoming DNS traffic on uplink and peering ports(for example if baseline DNS traffic is 5Mbps, then policer is set to 50Mbps), then legitimate customers DNS traffic is also affected in case of actual attack occurs and policer starts to drop DNS traffic, i.e. policer has no way to distinguish between the legitimate and non-legitimate incoming DNS traffic.
Am I wrong in some points? What are the common practices to mitigate DNS amplification attacks in ISP network?
thanks, Martin