[dns-operations] Small datapoint on current DoS mitigation
Dobbins, Roland
rdobbins at arbor.net
Fri Apr 4 09:57:15 UTC 2014
On Apr 4, 2014, at 4:13 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:
> If customers are running older resolver code which sources queries from UDP/53, then this ACL will cause problems for them; utilizing flow telemetry to determine the likelihood of these corner-cases arising is very important, along with plans to proactively handle them without breaking the Internet for these customers.
If this is a significant problem, here're revised tACL stanzas which *must* be tested and piloted prior to general deployment. Using flow-telemetry to determine whether the attack-source queries are sourced from high ports or from UDP/53 is strongly advised.
-----
access-list 101 remark Apply these stanzas inbound on coreward customer aggregation gateway interfaces.
access-list 101 remark Deny inbound traffic to UDP/53 on broadband customer networks.
access-list 101 remark Allow UDP/53-UDP/53 traffic for older customer resolver code.
access-list 101 permit udp any eq 53 172.19.25.0 0.0.0.255 eq 53
access-list 101 deny udp any 172.19.25.0 0.0.0.255 eq 53
access-list 101 remark Allow all other IP traffic to customer nodes - VERY important!
access-list 101 permit ip any 172.19.25.0 0.0.0.255
-----
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the dns-operations
mailing list