Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] iptables rules inefficient

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] iptables rules inefficient


Chronological Thread 
  • From: <kennytaylor AT runbox.com>
  • To: "discuss" <discuss AT lists.opennicproject.org>
  • Subject: Re: [opennic-discuss] iptables rules inefficient
  • Date: Mon, 20 May 2013 08:04:29 -0700 (PDT)

Hi Psilo,

I have been doing battle with the isc.org ANY queries for a month or so.
Those queries are all 64 bytes in length, so I set iptables rules to handle
64-byte packets differently. Basically this:

- If packet length = 64, then allow up to 1/second per source IP (matches
isc.org ANY queries)
- Drop all 64-byte packets in excess of above rule
- If packet length = 56, then allow up to 1/second per source IP

----- Start Original Message -----
Sent: Mon, 20 May 2013 16:23:00 +0200
From: Psilo <dns AT psilo.org>
To: "discuss AT lists.opennicproject.org" <discuss AT lists.opennicproject.org>
Subject: [opennic-discuss] iptables rules inefficient

> Dear OpenNIC,
>
> I have setup my iptables rules according to the wiki but still getting a
> lot of unwanted traffic with isc.org and ripe.net.
> Here is the output of dnstop:
>
> Query Name Count %
> ---------------- --------- ------
> ripe.net 590 54.2
> isc.org 406 37.3
> cnr.it 13 1.2
> akamaiedge.net 6 0.6
> 140.in-addr.arpa 6 0.6
> 125.in-addr.arpa 5 0.5
> 2-0.pl 5 0.5
> 86.in-addr.arpa 5 0.5
> multi-play.pl 4 0.4
> multi-play.eu 4 0.4
> net.pl 4 0.4
> 202.in-addr.arpa 3 0.3
> 46.in-addr.arpa 3 0.3
> 91.in-addr.arpa 3 0.3
>
> I have setup the following iptables rules which were supposed to block this
> traffic:
>
> # isc.org
> -A DNSFILTER -p udp -m string --hex-string
> "|00000000000103697363036f726700|" --algo bm --dport 53 -j DROP
> # ripe.net
> -A DNSFILTER -p udp -m string --hex-string
> "|0000000000010472697065036e6574|" --algo bm --dport 53 -j DROP
>
> The "ddos.pl" script is neither efficient.
>
> I am getting annoyed by my provider who wants to cut the server because of
> this traffic.
>
> Can you please help me figure what's wrong? Do you have a more aggressive
> version of this filters?
>
> Thanks
> Psilo
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

----- End Original Message -----


Archive powered by MHonArc 2.6.19.

Top of Page