Hi, as around 40% of ASNs allow at least partial IPv4 address spoofing in their network(http://spoofer.csail.mit.edu/summary.php) and there are around 30 million open-resolvers(http://openresolverproject.org/) in the Internet, then DNS amplification traffic is daily occasion for ISPs. This in probably mainly because RPF checks and DNS RRL(https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-...) are not ubiquitously implemented, recursive requests without any ACLs in DNS servers are often allowed, it requires little effort from attackers point of view and is effective attack method. Unfortunately, there seems to be very limited number of countermeasures for ISPs. Few which I can think of: 1) higher capacity backbone links - I'm not sure if this can be considered a mitigation method, but at least it can help to affect smaller amount of customers if traffic volumes are not very high 2) rate-limit incoming DNS traffic flows on peering and uplink ports - here I mean something similar to iptables "recent" module(http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.ht...) which allows certain number of certain type of packets in a configured time-slot per IP. However, such functionality is probably not common on edge or backbone routers. Tracking the packet state does definitely not work because state table should be synchronized between all the routers in the network and again, this requires Internet-routers to have stateful firewall functionality. In addition, one also needs to allow new DNS connections from Internet to its network. If one simply polices incoming DNS traffic on uplink and peering ports(for example if baseline DNS traffic is 5Mbps, then policer is set to 50Mbps), then legitimate customers DNS traffic is also affected in case of actual attack occurs and policer starts to drop DNS traffic, i.e. policer has no way to distinguish between the legitimate and non-legitimate incoming DNS traffic. Am I wrong in some points? What are the common practices to mitigate DNS amplification attacks in ISP network? thanks, Martin