On Tue, Dec 1, 2015 at 11:59 AM, Martin T <m4rtntns@gmail.com> wrote:
Am I wrong in some points? What are the common practices to mitigate DNS amplification attacks in ISP network?
Hi Martin, You seem to be focused on DNS amplification from the perspective of the attack's target. To the target, it's just another DDOS attack. As with other DDOS attacks, you reroute the contained /24 to a DDOS mitigator who specializes in removing unwanted packets from the data stream and passing the rest to your network via a tunnel. The mitigator writes custom software on expensive server arrays which figure out the attack de jour signatures and scrub the packet flows. Some folks rate-limit UDP flows. This just kills everything sooner during an attack since you kinda need DNS to work. Rate limiting by source turns your DNS requests stateful... a happy fun way to shoot yourself in the foot. Really, your best bet is to treat it as just another DDOS and let the guy you pay for DDOS service handle the details. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>