Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DDOS blocking

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DDOS blocking

Chronological Thread 
  • From: <kennytaylor AT>
  • To: "discuss" <discuss AT>
  • Subject: Re: [opennic-discuss] DDOS blocking
  • Date: Thu, 04 Apr 2013 13:31:05 -0800 (PST)

My firewall box didn't support the iptables string module without a kernel
recompile, so I worked something out using hashlimit. All of the attack
packets are 56 bytes, including the IP header. I set up the limit rules to
limit only 56-byte packets:

iptables -A TO-NS1 -d -p udp --dport 53 -m length --length 56
-m hashlimit --hashlimit-srcmask 32 --hashlimit-mode srcip --hashlimit-upto
20/s --hashlimit-name DNSTHROTTLE -j ACCEPT -m comment --comment "Allow 20
56-byte DNS queries per second, per host"

iptables -A TO-NS1 -d -p udp --dport 53 -m length --length 56
-j DROP -m comment --comment "Drop all other 56-byte DNS queries"

iptables -A TO-NS1 -d -p udp --dport 53 -j ACCEPT -m comment
--comment "Allow all other incoming DNS queries"


----- Start Original Message -----
Sent: Thu, 04 Apr 2013 15:05:49 -0600
From: Jeff Taylor <shdwdrgn AT>
To: discuss AT
Subject: Re: [opennic-discuss] DDOS blocking

> There isn't really a resolution for the problem. The packets are
> spoofed, we can't just block all the requested IP addresses. However by
> blocking the specific type of packet, when we know it shouldn't be
> coming through, we can at least prevent our own servers from responding
> to the queries and contributing to the problem of amplification
> attacks. What more do you think we can do from our side?
> On 04/03/2013 08:25 AM, Aaron J. Angel wrote:
> >
> >> I'm starting to wonder if we should make it a policy to drop all ANY
> >> requests? It seems that is the key factor behind all of these attacks,
> >> and other than the servers talking between themselves, I don't know of
> >> any use a client would have for such a query.
> >
> > This doesn't resolve the problem, it just covers it up a portion of
> > it.
> >
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT

----- End Original Message -----

Archive powered by MHonArc 2.6.19.

Top of Page