AdvancedScenario
15 min
DNS Amplification DDoS Attack
DNSSecurityDDoS
Advertisement
Interview Question
Your DNS servers are overloaded with suspicious traffic patterns resembling amplification. How do you detect, mitigate, and protect?
Key Points to Cover
- Identify traffic patterns and QPS spikes via logs/metrics
- Confirm reflection/amplification from open resolvers
- Rate-limit or block malicious sources at firewall/CDN
- Engage provider DDoS mitigation services
- Harden DNS infra: anycast, caching, restrict recursion
Evaluation Rubric
Detects attack via DNS metrics/logs30% weight
Applies rate limits or DDoS controls30% weight
Uses provider mitigation effectively20% weight
Mentions long-term DNS hardening20% weight
Hints
- 💡Look for large response-to-query ratios.
Common Pitfalls to Avoid
- ⚠️Failing to distinguish between legitimate traffic spikes and amplification patterns.
- ⚠️Assuming all UDP traffic on port 53 is malicious without verification.
- ⚠️Not implementing rate limiting or access controls effectively at the network edge or firewall.
- ⚠️Neglecting to harden DNS server configurations to prevent open recursion.
- ⚠️Focusing solely on immediate mitigation without planning for long-term resilience and prevention.
Potential Follow-up Questions
- ❓How to configure response rate limiting?
- ❓How to test DDoS readiness?
Advertisement