[dns-operations] Recently closed open resolver and reflection attacks

Scott Brynen scott.brynen at visioncritical.com
Wed Mar 6 18:17:33 UTC 2013

if you're not using the absolute latest bind, you can do a quick and nasty using IPTABLES.

Basically; if you get more than 12 hits in 75 seconds from the same IP, start dropping them.  There are few DNS situations where a client would make that many requests back to back to back, and even if you start denying them, their resolver (if it's real) should just switch over to another NS server.

iptables -A INPUT -p udp -m udp -m recent -i eth0 --dport 53 --update --seconds 75 --hitcount 12  --name DNSTHROTTLE --rsource -j DROP
iptables -A INPUT -p udp -m udp -m recent -i eth0 --dport 53 -j ACCEPT --set --name DNSTHROTTLE --rsource

>>I recently help close down an open recursive resolver.  It is still getting a lot of queries for isc.org/ANY which get a refused response (unless
>>slipped/dropped by RRL).  Granted, this doesn't amplify the attack since REFUSED is a fairly small packet, but it is still traffic to the attacked site. 

More information about the dns-operations mailing list