discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Jeff Taylor <shdwdrgn AT sourpuss.net>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] Killed an IP due to excessive usage
- Date: Tue, 28 Dec 2010 22:40:20 -0700
- List-archive: <http://lists.darkdna.net/pipermail/discuss>
- List-id: <discuss.lists.opennicproject.org>
OK, the culmination of the last couple hours, I think I have something easily implemented for any T2 operators. Presenting my current set of iptables rules...
iptables -A INPUT -p udp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p udp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP
iptables -A INPUT -p tcp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p tcp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP
The results of testing this evening appear to be a great success. As far as I can tell, all normal queries are coming through at the same rate, but there is a huge amount of traffic that is being blocked (at the rate of around 1000 queries per minute).
The effect of these rules is that normal traffic of up to 20 packets per second is allowed, with bursts up to 50 packets. This could perhaps be relaxed even further if anyone thinks there is a case where normal usage would exceed this rate.
The rules also allow for logging the dropped packets, at a rate of once every 5 minutes (12/h). This lets the admin see in syslog that the rules are working, without flooding your logs. Also note you can use the following command to view realtime hits:
iptables -vxL INPUT -n
For those concerned about running a T2 due to bandwidth limitation, my bandwidth this evening has been around 10Kb/sec, which includes DNS queries, usage of my web sites, and general email traffic. The iptables rules above are easy to drop on any *nix server, and should effectively prevent excessive traffic from abusive sources.
- Re: [opennic-discuss] Killed an IP due to excessive usage, (continued)
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/25/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Christopher, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Larry Brower, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Julian De Marchi, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Julian De Marchi, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Larry Brower, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Julian De Marchi, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Dustin, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Barnaby Astles, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/30/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Dustin, 12/30/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/30/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Barnaby Astles, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Dustin, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Christopher, 12/28/2010
Archive powered by MHonArc 2.6.19.