Hello,

Grateful for any tips/hints to mitigate DNS flood DDoS attacks which we've been experiencing recently.

We're running a bunch of R81.20s (all on Open Servers), as standalone gateways and VSXs.  During the attack (which lasts ~10-15 minutes), the CPU goes to 100% with all concurrent connections utilized, therefore the fw stops processing traffic.  The attacks target our authoritative DNS servers by flooding with UDP. 

From the bandwidth perspective, there is no noticeable increase, so I assume the concurrent connections rate is exploited. 

The source addresses are thousands of hosts from random subnets.

We do have L4 DDoS protection activated on the upstream ISP, and they do identify the attacks, however, by the time they mitigate it (up to 10 minutes), we are affected by intermittent (or complete lack of) connectivity.

In case it will be of help, we have Arista routers in front, that can cope with the load, but unfortunately without any rate limiting functionality.

Any tips would be greatly appreciated! 

Thank you.