[u-u] DNS Reflection Amplification Attack Mitigation

Hugh Gamble hugh at phaedrav.com
Tue Dec 9 22:28:08 EST 2014

Not a Unix question,
but it's about an ASUS home router based on Linux
so I know you'll forgive me. ?

I have a public DNS server that is not recursive and doesn't forward
(so it's a bad choice for amplification attacks).
It's been getting DNS reflection amplification attacks against a remote
target daily
ramping up from 8:30PM to 9PM then running to 11PM.

The router firewall GUI interface is deficient
but there's command line access to iptables.
I can add (non-persistent) rules to the filter table.
And I started dropping incoming requests with the spoofed address.

Unless it was coincidence, 
I think that got the attacks to stop (rather than just being mitigated).

General discussion of the problem is welcome.
But my specific question is how an attacker would notice
that using this DNS server was no longer effective.
(not that it was amplifying much in the first place)

More information about the u-u mailing list