Discuss mailing list

[Tim Groeneveld <tim AT timgws.com.au>]

----- Original Message -----
> Rate-limiting is the best first-step in this game. Even if you can't
> prevent your server from being used in an attack, you can at least
> greatly limit the actual damage being done to yourself and the
> intended target. I would highly recommend that ALL public DNS
> servers implement some manner of rate limiting.


This is correct.

There are two netfilter/iptables patches that we can use to help this.

First is a quota patch: 
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.13

It allows you to set quotas. When the quota is reached, the rule doesn't 
match any more

See the examples. We can use this to limit incoming data to say 512KB per day 
(there should not be more then that coming in from one IP...)

We can also limit the number of parallel DNS connections.

See also http://software.klolik.org/xt_dns/
See also http://www.topology.org/linux/iptables_dns_flood.html
See also 
https://lists.dns-oarc.net/pipermail/dns-operations/2012-October/009321.html

Regards,
Tim