Friendly reminder to HKIX participants about how to mitigate DDoS attacks
Dear HKIX participants,
Open DNS Recursive Resolvers pose a significant threat to the global Internet infrastructure as they are utilized in DNS Amplification attacks. A recent DDoS attack was found exploiting this security hole against some Internet companies with total traffic estimated to be over 300Gbps. In order to help mitigate future attacks, we would like to remind you to take the following actions:
- Please make reference to http://openresolverproject.org/ for stopping open DNS recursive resolvers on your networks. Most DNS related measures and technical resources including DNS RRL (Response Rate Limiting) are mentioned over there too so you are highly recommended to take a detailed look at the site.
- Please implement BCP38 on your networks so that your customers cannot spoof the source IP addresses of their outgoing packets. This is critically important to stop an entire range of DDoS attacks on the Internet. More information can be found at: http://tools.ietf.org/html/bcp38
- Please do NOT announce HKIX's IP address blocks 202.40.160/23 and 2001:7FA:0:1::/64 to anywhere with BGP.
- Please consider implementing control plane policing on your routers (i.e. rate limiting).
Let us work together to build a more secured Internet.
Thank you very much for your attention.