On 1 Dec 2015, at 23:59, Martin T wrote:
What are the common practices to mitigate DNS amplification attacks in ISP network?
Situationally-appropriate network access policies instantiated as ACLs on hardware-based routers/layer-3 switches in IDCs, on customer aggregation routers, in mitigation centers, etc. S/RTBH. flowspec. IDMS (full disclosure, I work for a vendor of such systems). See this .pdf preso: <https://app.box.com/s/r7an1moswtc7ce58f8gg> Statefulness is out, as you indicate. QoS is out, as you indicated (e.g., legitimate traffic is 'crowded out' by programmatically-generated attack traffic). The real solution to this entire problem set is source-address validation, as you indicate. Until the happy day when we've achieved universal source-address validation arrives, various combinations of the above. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>