[dns-operations] Small datapoint on current DoS mitigation

bert hubert bert.hubert at netherlabs.nl
Wed Apr 9 19:06:37 UTC 2014

On Fri, Apr 04, 2014 at 09:57:15AM +0000, Dobbins, Roland wrote:
> On Apr 4, 2014, at 4:13 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:
> > If customers are running older resolver code which sources queries from UDP/53, then this ACL will cause problems for them; utilizing flow telemetry to determine the likelihood of these corner-cases arising is very important, along with plans to proactively handle them without breaking the Internet for these customers.
> If this is a significant problem, here're revised tACL stanzas which
> *must* be tested and piloted prior to general deployment.  Using
> flow-telemetry to determine whether the attack-source queries are sourced
> from high ports or from UDP/53 is strongly advised.

Hi Roland,

Thank you for this. As an additional datapoint, for this specific
deployment, there are two instances of PowerDNS. One serves a large number
of mobile (3G, 4G) users, the other a small number of DSL customers.

The mobile users create 0% problematic traffic, while for the far smaller
number of DSL users currently ~40% of queries are involved in this attack.

I think the difference is because the cell users can't accept inbound
traffic from the internet. 


> -----
> access-list 101 remark Apply these stanzas inbound on coreward customer aggregation gateway interfaces.
> access-list 101 remark Deny inbound traffic to UDP/53 on broadband customer networks.
> access-list 101 remark Allow UDP/53-UDP/53 traffic for older customer resolver code.
> access-list 101 permit udp any eq 53 eq 53
> access-list 101 deny udp any eq 53
> access-list 101 remark Allow all other IP traffic to customer nodes - VERY important!
> access-list 101 permit ip any
> -----
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 	  Luck is the residue of opportunity and design.
> 		       -- John Milton
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list