Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DDOS blocking

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DDOS blocking


Chronological Thread 
  • From: <kennytaylor AT runbox.com>
  • To: "discuss" <discuss AT lists.opennicproject.org>
  • Subject: Re: [opennic-discuss] DDOS blocking
  • Date: Thu, 04 Apr 2013 13:46:37 -0800 (PST)

I'll take a closer look, but in the calm between floods, nothing seemed to be
hitting the drop rule. It's limiting by source IP, so I expected very few
false-positives.

Kenny

----- Start Original Message -----
Sent: Thu, 04 Apr 2013 15:36:58 -0600
From: Jeff Taylor <shdwdrgn AT sourpuss.net>
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] DDOS blocking

> That might help calm down the storm of traffic, however you are easily
> going to be blocking legitimate traffic as well. Just watching my
> queries for a minute, I'm seeing a legitimate 56-byte packet about every
> 2-3 seconds. Remember that real queries are pretty small anyway, so
> trying to filter on packet size is going to net you a LOT of
> false-positives.
>
>
> On 04/04/2013 03:31 PM, kennytaylor AT runbox.com wrote:
> > My firewall box didn't support the iptables string module without a
> > kernel recompile, so I worked something out using hashlimit. All of the
> > attack packets are 56 bytes, including the IP header. I set up the limit
> > rules to limit only 56-byte packets:
> >
> > iptables -A TO-NS1 -d 208.111.40.37 -p udp --dport 53 -m length --length
> > 56 -m hashlimit --hashlimit-srcmask 32 --hashlimit-mode srcip
> > --hashlimit-upto 20/s --hashlimit-name DNSTHROTTLE -j ACCEPT -m comment
> > --comment "Allow 20 56-byte DNS queries per second, per host"
> >
> > iptables -A TO-NS1 -d 208.111.40.37 -p udp --dport 53 -m length --length
> > 56 -j DROP -m comment --comment "Drop all other 56-byte DNS queries"
> >
> > iptables -A TO-NS1 -d 208.111.40.37 -p udp --dport 53 -j ACCEPT -m
> > comment --comment "Allow all other incoming DNS queries"
> >
> > Thanks,
> > Kenny
> >
> >
> > ----- Start Original Message -----
> > Sent: Thu, 04 Apr 2013 15:05:49 -0600
> > From: Jeff Taylor <shdwdrgn AT sourpuss.net>
> > To: discuss AT lists.opennicproject.org
> > Subject: Re: [opennic-discuss] DDOS blocking
> >
> >> There isn't really a resolution for the problem. The packets are
> >> spoofed, we can't just block all the requested IP addresses. However by
> >> blocking the specific type of packet, when we know it shouldn't be
> >> coming through, we can at least prevent our own servers from responding
> >> to the queries and contributing to the problem of amplification
> >> attacks. What more do you think we can do from our side?
> >>
> >>
> >> On 04/03/2013 08:25 AM, Aaron J. Angel wrote:
> >>>> I'm starting to wonder if we should make it a policy to drop all ANY
> >>>> requests? It seems that is the key factor behind all of these attacks,
> >>>> and other than the servers talking between themselves, I don't know of
> >>>> any use a client would have for such a query.
> >>> This doesn't resolve the problem, it just covers it up a portion of
> >>> it. http://www.corecom.com/external/livesecurity/dnsamplification.htm
> >>>
> >>
> >>
> >> --------
> >> You are a member of the OpenNIC Discuss list.
> >> You may unsubscribe by emailing
> >> discuss-unsubscribe AT lists.opennicproject.org
> > ----- End Original Message -----
> >
> >
> > --------
> > You are a member of the OpenNIC Discuss list.
> > You may unsubscribe by emailing
> > discuss-unsubscribe AT lists.opennicproject.org
>
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

----- End Original Message -----


Archive powered by MHonArc 2.6.19.

Top of Page