Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

That might help calm down the storm of traffic, however you are easily
going to be blocking legitimate traffic as well.  Just watching my
queries for a minute, I'm seeing a legitimate 56-byte packet about every
2-3 seconds.  Remember that real queries are pretty small anyway, so
trying to filter on packet size is going to net you a LOT of
false-positives.


On 04/04/2013 03:31 PM, kennytaylor AT runbox.com wrote:
> My firewall box didn't support the iptables string module without a kernel 
> recompile, so I worked something out using hashlimit.  All of the attack 
> packets are 56 bytes, including the IP header.  I set up the limit rules to 
> limit only 56-byte packets:
>
> iptables -A TO-NS1 -d 208.111.40.37 -p udp --dport 53 -m length --length 56 
> -m hashlimit --hashlimit-srcmask 32 --hashlimit-mode srcip --hashlimit-upto 
> 20/s --hashlimit-name DNSTHROTTLE -j ACCEPT -m comment --comment "Allow 20 
> 56-byte DNS queries per second, per host"
>
> iptables -A TO-NS1 -d 208.111.40.37 -p udp --dport 53 -m length --length 56 
> -j DROP -m comment --comment "Drop all other 56-byte DNS queries"
>
> iptables -A TO-NS1 -d 208.111.40.37 -p udp --dport 53 -j ACCEPT -m comment 
> --comment "Allow all other incoming DNS queries"
>
> Thanks,
> Kenny
>
>
> ----- Start Original Message -----
> Sent: Thu, 04 Apr 2013 15:05:49 -0600
> From: Jeff Taylor <shdwdrgn AT sourpuss.net>
> To: discuss AT lists.opennicproject.org
> Subject: Re: [opennic-discuss] DDOS blocking
>
>> There isn't really a resolution for the problem.  The packets are
>> spoofed, we can't just block all the requested IP addresses.  However by
>> blocking the specific type of packet, when we know it shouldn't be
>> coming through, we can at least prevent our own servers from responding
>> to the queries and contributing to the problem of amplification
>> attacks.  What more do you think we can do from our side?
>>
>>
>> On 04/03/2013 08:25 AM, Aaron J. Angel wrote:
>>>> I'm starting to wonder if we should make it a policy to drop all ANY
>>>> requests?  It seems that is the key factor behind all of these attacks,
>>>> and other than the servers talking between themselves, I don't know of
>>>> any use a client would have for such a query.
>>> This doesn't resolve the problem, it just covers it up a portion of
>>> it. http://www.corecom.com/external/livesecurity/dnsamplification.htm
>>>
>>
>>
>> --------
>> You are a member of the OpenNIC Discuss list. 
>> You may unsubscribe by emailing 
>> discuss-unsubscribe AT lists.opennicproject.org
> ----- End Original Message -----
>
>
> --------
> You are a member of the OpenNIC Discuss list. 
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org