AnsweredAssumed Answered

Help Stop DNS Amp Attacks?

Question asked by djcanadianjeff on Nov 1, 2013
Latest reply on Nov 4, 2013 by kevinds

I wonder if shaw does this at all

Source IP Verification

Because the DNS queries being sent by the attacker-controlled clients must have a source address spoofed to appear as the victim’s system, the first step to reducing the effectiveness of DNS amplification is for Internet Service Providers to reject any DNS traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force released Best Current Practice 38 document in May 2000 and Best Current Practice 84 in March 2004 that describes how an Internet Service Provider can filter network traffic on their network to reject packets with source addresses not reachable via the actual packet’s path [7]. The changes recommended in this document would cause a routing device to evaluate whether it is possible to reach the source address of the packet via the interface that transmitted the packet. If it is not possible, then the packet obviously has a spoofed source address. This configuration change would substantially reduce the potential for most popular types of DDoS attacks. As such, we highly recommend to all network operators to perform network ingress filtering if possible.


Outcomes