discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: <kennytaylor AT runbox.com>
- To: "discuss" <discuss AT lists.opennicproject.org>
- Subject: Re: [opennic-discuss] DDOS blocking
- Date: Thu, 04 Apr 2013 13:31:05 -0800 (PST)
My firewall box didn't support the iptables string module without a kernel
recompile, so I worked something out using hashlimit. All of the attack
packets are 56 bytes, including the IP header. I set up the limit rules to
limit only 56-byte packets:
iptables -A TO-NS1 -d 208.111.40.37 -p udp --dport 53 -m length --length 56
-m hashlimit --hashlimit-srcmask 32 --hashlimit-mode srcip --hashlimit-upto
20/s --hashlimit-name DNSTHROTTLE -j ACCEPT -m comment --comment "Allow 20
56-byte DNS queries per second, per host"
iptables -A TO-NS1 -d 208.111.40.37 -p udp --dport 53 -m length --length 56
-j DROP -m comment --comment "Drop all other 56-byte DNS queries"
iptables -A TO-NS1 -d 208.111.40.37 -p udp --dport 53 -j ACCEPT -m comment
--comment "Allow all other incoming DNS queries"
Thanks,
Kenny
----- Start Original Message -----
Sent: Thu, 04 Apr 2013 15:05:49 -0600
From: Jeff Taylor <shdwdrgn AT sourpuss.net>
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] DDOS blocking
> There isn't really a resolution for the problem. The packets are
> spoofed, we can't just block all the requested IP addresses. However by
> blocking the specific type of packet, when we know it shouldn't be
> coming through, we can at least prevent our own servers from responding
> to the queries and contributing to the problem of amplification
> attacks. What more do you think we can do from our side?
>
>
> On 04/03/2013 08:25 AM, Aaron J. Angel wrote:
> >
> >> I'm starting to wonder if we should make it a policy to drop all ANY
> >> requests? It seems that is the key factor behind all of these attacks,
> >> and other than the servers talking between themselves, I don't know of
> >> any use a client would have for such a query.
> >
> > This doesn't resolve the problem, it just covers it up a portion of
> > it. http://www.corecom.com/external/livesecurity/dnsamplification.htm
> >
>
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
----- End Original Message -----
- [opennic-discuss] DDOS blocking, kennytaylor, 04/03/2013
- Re: [opennic-discuss] DDOS blocking, Jeff Taylor, 04/03/2013
- Re: [opennic-discuss] DDOS blocking, Aaron J. Angel, 04/03/2013
- Re: [opennic-discuss] DDOS blocking, Jeff Taylor, 04/04/2013
- Re: [opennic-discuss] DDOS blocking, kennytaylor, 04/04/2013
- Re: [opennic-discuss] DDOS blocking, Jeff Taylor, 04/04/2013
- Re: [opennic-discuss] DDOS blocking, kennytaylor, 04/04/2013
- Re: [opennic-discuss] DDOS blocking, Alex M (Coyo), 04/04/2013
- Re: [opennic-discuss] DDOS blocking, kennytaylor, 04/04/2013
- Re: [opennic-discuss] DDOS blocking, Jeff Taylor, 04/04/2013
- Re: [opennic-discuss] DDOS blocking, kennytaylor, 04/04/2013
- Re: [opennic-discuss] DDOS blocking, David Norman, 04/06/2013
- Re: [opennic-discuss] DDOS blocking, Kenny Taylor, 04/06/2013
- Re: [opennic-discuss] DDOS blocking, David Norman, 04/06/2013
- Re: [opennic-discuss] DDOS blocking, Jeff Taylor, 04/07/2013
- Re: [opennic-discuss] DDOS blocking, David Norman, 04/06/2013
- Re: [opennic-discuss] DDOS blocking, Kenny Taylor, 04/06/2013
- Re: [opennic-discuss] DDOS blocking, Jeff Taylor, 04/04/2013
- Re: [opennic-discuss] DDOS blocking, Kenny Taylor, 04/03/2013
- Re: [opennic-discuss] DDOS blocking, Aaron J. Angel, 04/03/2013
- Re: [opennic-discuss] DDOS blocking, Jeff Taylor, 04/03/2013
Archive powered by MHonArc 2.6.19.