Andy Ellis (yes, @csoandy) had a good educational post on DNS Reflection attacks. The DrDos (no, Digital Research DOS isn’t making a comeback – dating myself FTW) has proven an effective way for attackers to scale Denial of Service (DoS) attacks to over 100gbps. Andy explains how DNS Reflection works, why it’s hard to deal with, and what targets can do to defend themselves.
The first line of defense is always capacity. Without enough bandwidth at the front of your defenses, nothing else matters. This needs to be measurable both in raw bandwidth, as well as in packets per second, because hardware often has much lower bandwidth capacity as packet sizes shrink.
He also mentions filtering out DNS requests and protecting your DNS servers, among other tactics.
If you haven’t had the pleasure of being pummeled by a DoS, and having it magnified by reflection attacks, you probably will. So learning as much as you can and making sure you have proper defenses can help you keep sites up and running.