[dns-operations] dealing with DDoS/amplification attacks

Jim Reid jim at rfc1035.com
Mon Jun 18 12:15:57 UTC 2012

On 18 Jun 2012, at 12:36, Kostas Zorbadelos wrote:

> Stephane Bortzmeyer <bortzmeyer at nic.fr> writes:
>> If you don't do ingress filtering, it still allows people to attack
>> your users (they can send from the outside a "ANY ripe.net" query
>> claiming to be from a local machine).
> The same is true if you have open resolvers / forwarders in your  
> networks (problem CPEs for example) and they accept spoofed queries  
> from the outside.
> What is the proposed mitigation for the ISP caching resolver in  
> these cases?

Don't do that. :-)

If the attack packets have a format that can easily be filtered to / 
dev/null, it should be possible (handwave, handwave!) to make a  
firewall or router drop these at the ingress point(s) into your network.

And then go chase the upstream providers who are dumping this crap on  

Statements of the bleedin' obvious...

More information about the dns-operations mailing list