[dns-operations] First experiments with DNS dampening to fight amplification attacks
Stephane Bortzmeyer
bortzmeyer at nic.fr
Mon Oct 29 10:34:51 UTC 2012
On Mon, Oct 29, 2012 at 10:21:46AM +0000,
Dobbins, Roland <rdobbins at arbor.net> wrote
a message of 20 lines which said:
> I've only ever seen it deployed with connection tracking - i.e.,
> statefully.
Several TLD use iptables for rate-limiting ANY amplification
attacks. They typically use the hashlimit module, which does not
activate connection tracking (which is mostly useless for DNS, anyway).
iptables -A INPUT -p udp --dport 53 -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
Or, if you want to rate-limit only some patterns (ANY ripe.net...):
wget http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py
then:
domain=ripe.net
action=RATELIMITER
action="LOG --log-prefix DNS-ANY-query-$domain"
rule=$(python generate-netfilter-u32-dns-rule.py --qname $domain --qtype ANY)
iptables --append INPUT --destination ${MYSERVICEIPADDRESS} --protocol udp --destination-port 53 \
--match u32 --u32 "$rule" \
--jump ${action}
iptables -A ${action} -p udp --dport 53 -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
More information about the dns-operations
mailing list