On 09/14/2012 09:05 AM, Thomas Eichhorn wrote:
as I believe most of us have encountered some DNS (DNSSEC)
amplification attacks, I wonder if any of you had some success
of stopping these using a SRX device.
I'd be surprised if it was "most of us". But yes, they're getting more
common.
Does anyone have some other ideas or maybe even solutions? I have seen
some implementations on the DNS-server side - but as always, if there is
some closed source server behind you need to find another way..
Most sites I know of that are dealing with this issue are either using
OS-level filtering such as ipfw/iptables recipies to rate-limit the
"ANY" queries, or are runnng "bind" as their authoritative servers and
using the response rate-limit patchset here:
http://www.redbarn.org/dns/ratelimits
Whilst the latter stops the reflection attacks, there is some debate
about whether this helps with the inbound/DNS server load.
Since these are all source-spoofed attacks, I've been encouraging people
to work with their network and upstream to deal with the root problems -
source spoofing - either via S/RTBH or better yet by tracking the source
spoofing across peerings and WHACKING ON THE ISP EMITTING THEM WITH A
CROWBAR.
Because honestly - what platform can't do BCP 38 these days?
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
