Quote:
Originally Posted by Pringles
[You must be logged in to view images. Log in or Register.]
I am just speculating here since I dont know the scope of the attack, only what you noted about DNS amplification attack, but what about firewalling all DNS related traffic on the p99 boxen, and have us to use our own DNS resolution for the server (windows hosts file). Would that at all help? I wouldnt mind making host entries to resolve p99 DNS so that you can shut it off.
|
I think the only thing that would mitigate the problem is a devices that sits on the ISP's side of Rogean's drop (or somewhere in the path of their connection to the rest of the world). That device would need to be able to track DNS name resolution requests so that when the name resolution responses are returned it could then match them up with the requests and block any responses that don't have matching requests (thus blocking the responses to the spoofed requests). Unfortunately doing that on Rogean's side of the drop wouldn't prevent his drop from being saturated which is what he described was the problem.
I think if his ISP isn't willing to help he has no choice but to move to one that would be willing to help if this happens again.
Boiled down....Rogean really cannot do anything himself to prevent this.