Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

I prefer not to whitelist for something like this... If the configuration is blocking traffic from my own server, then it is also probably blocking other legitimate traffic - therefore the solution is not usable.

This evening I am testing a new approach.  I wrote a bash script which runs every 3 seconds and checks my BIND log for the specific entry from the DDOS attacks.  Any entries it finds are added to iptables, and I keep a table so that the offending IP's are removed from iptables after 10 minutes.  If they're still sending their queries, they get added back to iptables at the following 3-second check.  So far the script seems to be working perfectly... IPs have been getting added and removed this afternoon, so the script looks functional.  The only thing I would like to add is a method of counting offenses, provide some leeway so that they have to send perhaps 100 such packets before they are blocked?  I dunno, but at least the basic script is working as expected.


On 12/29/2010 01:53 PM, Dustin wrote:

Maybe you need to whitelist your localhost traffic or your lo adapter traffic before you add the limit rules?  

Also, you may want to explore the iptables RECENT feature if you haven't already tried it.  I use rules similar to the ones in the link below to drop overzealous SSH script kiddies on my server.  I imagine something similar would work as a DNS DDOS prevention technique.  

http://blog.andrew.net.au/2005/02/16

Dustin 

On Wed, Dec 29, 2010 at 12:39 PM, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:
Well crap... hate to say it, but these rules are NOT working.  After spending a couple hours with folks on IRC last night tweaking the rules, I ended up with "--limit 100/s --limit-burst 250".  And when I got up this morning, I found that my T2 was unable to query itself!  Yeah that's not gonna work.

I think at this point the best plan will be to go back to a fail2ban rule.  The rule for blocking the DDOS packets can be pretty specific, just have to figure out HOW to write the rule...

On 12/28/2010 10:40 PM, Jeff Taylor wrote:
OK, the culmination of the last couple hours, I think I have something easily implemented for any T2 operators.  Presenting my current set of iptables rules...

iptables -A INPUT -p udp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p udp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP
iptables -A INPUT -p tcp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p tcp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP

The results of testing this evening appear to be a great success.  As far as I can tell, all normal queries are coming through at the same rate, but there is a huge amount of traffic that is being blocked (at the rate of around 1000 queries per minute).

The effect of these rules is that normal traffic of up to 20 packets per second is allowed, with bursts up to 50 packets.  This could perhaps be relaxed even further if anyone thinks there is a case where normal usage would exceed this rate.

The rules also allow for logging the dropped packets, at a rate of once every 5 minutes (12/h).  This lets the admin see in syslog that the rules are working, without flooding your logs.  Also note you can use the following command to view realtime hits:

iptables -vxL INPUT -n

For those concerned about running a T2 due to bandwidth limitation, my bandwidth this evening has been around 10Kb/sec, which includes DNS queries, usage of my web sites, and general email traffic.  The iptables rules above are easy to drop on any *nix server, and should effectively prevent excessive traffic from abusive sources.
_______________________________________________
discuss mailing list
discuss AT lists.opennicproject.org
http://lists.darkdna.net/mailman/listinfo/discuss
_______________________________________________
discuss mailing list
discuss AT lists.opennicproject.org
http://lists.darkdna.net/mailman/listinfo/discuss

_______________________________________________
discuss mailing list
discuss AT lists.opennicproject.org
http://lists.darkdna.net/mailman/listinfo/discuss