Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

Yes I could have simply whitelisted myself, but the problem is that my server is not performing what I would consider excessive lookups.  This machine doesn't handle email or anything like that, so there is almost no reason for it to be doing any lookups.  If a simple rule is blocking my own low-bandwidth usage, then what is it doing to someone who is actively browsing the internet?

I don't want to take the chance of affecting legitimate end user's lookups, plus I could find no method of resetting iptables limit counters, so if someone were to get blocked, I would have no way to unblock them.  So I decided to take a more hands-on approach by using a script to actively monitor for a specific situation.  And from what I can see, the script has been working beautifully overnight... its blocking all the DDOS packets I've been seeing, but there haven't been any signs of false-positives.  That is by far the best situation I could hope for!

We also know that these attacks/abuses on our servers change over time.  It seems like every few months a new situation comes up.  While my script is rather simplistic in using bash, its also very easy to adjust to new situations, so it should be able to evolve over time.


On 12/30/2010 07:30 AM, Dustin wrote:

Perhaps I'm missing something here as I've never messed with the limit feature of iptables before.  

The rules below drop DNS requests from specific source IPs for a certain period of time after they hammer your machine, correct?

iptables -A INPUT -p udp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p udp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP
iptables -A INPUT -p tcp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p tcp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP

If so, and these rules had the unintentional side effect of not allowing your server to query itself after some time---ie: iptables thought the host machine itself was a threat---the solution should be simple.  

One would hope that when the machine queries itself it does it over loopback (if not, point resolv.conf at 127.0.01?).  Anyhow, if that is true, all you need to do is 
itptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p udp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p udp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP
iptables -A INPUT -p tcp --dport 53 -m limit --limit 12/h -j LOG --log-prefix "DNS DDOS: " --log-level 7
iptables -A INPUT -p tcp --dport 53 -m limit --limit 20/s --limit-burst 50 -j DROP

Whitelisting loopback presents no threat whatsoever.  

If for whatever reason the server doesn't use loopback to query itself you could use something like: 

itptables -A INPUT -p udp --dport 53 -s SERVERIP/255.255.255.255 -j ACCEPT

instead of the loopback rule and still be relatively safe.  The only thing you would have to worry about is people hammering your server which are also spoofing your servers IP. You may even be able mitigate that odd threat more by making that rule only match requests leaving eth0 and coming in eth0 (using -i and -o in the rule) as I would think all requests from people on the net would only meet the incoming eth0 portion of it.