Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Killed an IP due to excessive usage

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Killed an IP due to excessive usage


Chronological Thread 
  • From: Dustin <nfhostnet AT gmail.com>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] Killed an IP due to excessive usage
  • Date: Thu, 30 Dec 2010 09:30:25 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:reply-to:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type; b=MAT2Imca8TWFYFsFM7p/VGNxarzzw57KOZvX3db4fqa32VERDB91Gi1+CCP0e8Lk9m /WMnF35Oo8awgLLi1Q6AykniUYtAIb76WK4tsM3694Z6cPPYM8xh6loIyyM//H4uluNa jCaAxXl8Zzsxjo4nfnnR+5VEJZ884VawQlQYw=
  • List-archive: <http://lists.darkdna.net/pipermail/discuss>
  • List-id: <discuss.lists.opennicproject.org>

Perhaps I'm missing something here as I've never messed with the limit feature of iptables before.  


The rules below drop DNS requests from specific source IPs for a certain period of time after they hammer your machine, correct?
iptables -A INPUT -p udp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p udp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP
iptables -A INPUT -p tcp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p tcp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP

If so, and these rules had the unintentional side effect of not allowing your server to query itself after some time---ie: iptables thought the host machine itself was a threat---the solution should be simple.  

One would hope that when the machine queries itself it does it over loopback (if not, point resolv.conf at 127.0.01?).  Anyhow, if that is true, all you need to do is 
itptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p udp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP
iptables -A INPUT -p tcp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p tcp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP

Whitelisting loopback presents no threat whatsoever.  

If for whatever reason the server doesn't use loopback to query itself you could use something like: 
itptables -A INPUT -p udp --dport 53 -s SERVERIP/255.255.255.255 -j ACCEPT
instead of the loopback rule and still be relatively safe.  The only thing you would have to worry about is people hammering your server which are also spoofing your servers IP. You may even be able mitigate that odd threat more by making that rule only match requests leaving eth0 and coming in eth0 (using -i and -o in the rule) as I would think all requests from people on the net would only meet the incoming eth0 portion of it.  




On Thu, Dec 30, 2010 at 2:07 AM, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:
Erg...bug report.  The awk command requires single quotes, and doesn't work right with the double quotes.  Line 9 should be this...


FILTER=`tail $LAST $LOGFILE | grep "query: isc.org IN ANY +ED" | awk '{ print $6 }' | cut -d\# -f1 | sort | uniq`

_______________________________________________
discuss mailing list
discuss AT lists.opennicproject.org
http://lists.darkdna.net/mailman/listinfo/discuss




Archive powered by MHonArc 2.6.19.

Top of Page