Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Killed an IP due to excessive usage

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Killed an IP due to excessive usage


Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] Killed an IP due to excessive usage
  • Date: Wed, 29 Dec 2010 10:39:15 -0700
  • List-archive: <http://lists.darkdna.net/pipermail/discuss>
  • List-id: <discuss.lists.opennicproject.org>

Well crap... hate to say it, but these rules are NOT working. After spending a couple hours with folks on IRC last night tweaking the rules, I ended up with "--limit 100/s --limit-burst 250". And when I got up this morning, I found that my T2 was unable to query itself! Yeah that's not gonna work.

I think at this point the best plan will be to go back to a fail2ban rule. The rule for blocking the DDOS packets can be pretty specific, just have to figure out HOW to write the rule...


On 12/28/2010 10:40 PM, Jeff Taylor wrote:
OK, the culmination of the last couple hours, I think I have something easily implemented for any T2 operators. Presenting my current set of iptables rules...

iptables -A INPUT -p udp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p udp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP
iptables -A INPUT -p tcp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p tcp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP

The results of testing this evening appear to be a great success. As far as I can tell, all normal queries are coming through at the same rate, but there is a huge amount of traffic that is being blocked (at the rate of around 1000 queries per minute).

The effect of these rules is that normal traffic of up to 20 packets per second is allowed, with bursts up to 50 packets. This could perhaps be relaxed even further if anyone thinks there is a case where normal usage would exceed this rate.

The rules also allow for logging the dropped packets, at a rate of once every 5 minutes (12/h). This lets the admin see in syslog that the rules are working, without flooding your logs. Also note you can use the following command to view realtime hits:

iptables -vxL INPUT -n

For those concerned about running a T2 due to bandwidth limitation, my bandwidth this evening has been around 10Kb/sec, which includes DNS queries, usage of my web sites, and general email traffic. The iptables rules above are easy to drop on any *nix server, and should effectively prevent excessive traffic from abusive sources.
_______________________________________________
discuss mailing list
discuss AT lists.opennicproject.org
http://lists.darkdna.net/mailman/listinfo/discuss




Archive powered by MHonArc 2.6.19.

Top of Page