[dns-operations] First experiments with DNS dampening to fight amplification attacks

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Oct 29 10:34:51 UTC 2012

On Mon, Oct 29, 2012 at 10:21:46AM +0000,
 Dobbins, Roland <rdobbins at arbor.net> wrote 
 a message of 20 lines which said:

> I've only ever seen it deployed with connection tracking - i.e.,
> statefully. 

Several TLD use iptables for rate-limiting ANY amplification
attacks. They typically use the hashlimit module, which does not
activate connection tracking (which is mostly useless for DNS, anyway).

iptables -A INPUT -p udp --dport 53 -m hashlimit \
   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

Or, if you want to rate-limit only some patterns (ANY ripe.net...):

wget http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py


action="LOG --log-prefix DNS-ANY-query-$domain"
rule=$(python generate-netfilter-u32-dns-rule.py --qname $domain --qtype ANY)
iptables --append INPUT --destination ${MYSERVICEIPADDRESS} --protocol udp --destination-port 53 \
    --match u32 --u32 "$rule" \
    --jump ${action}
iptables -A ${action} -p udp --dport 53 -m hashlimit \
   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

More information about the dns-operations mailing list