Discuss mailing list

[<kennytaylor AT runbox.com>]

(sorry, hit the send button too early)

Hi Psilo,
 
I have been doing battle with the isc.org ANY queries for a month or so.  
Those queries are all 64 bytes in length, so I set iptables rules to handle 
64-byte packets differently.  Basically this:
 
- If packet length = 64, then allow up to 1/second per source IP    (matches 
isc.org ANY queries)
    - Drop all 64-byte packets in excess of above rule
- If packet length = 56, then allow up to 2/second per source IP   (matches 
root zone ANY queries)
    - Drop all 56-byte packets in excess of above rule
- Allow all other UDP DNS traffic

That has limited the attack traffic generated to around 500 kbit/sec, which 
is much more manageable.  Here's the raw iptables rules I'm using:

## Rate limit 64-byte queries (ANY against isc.org)
iptables -A TO-NS1 -d <dns_server_IP> -p udp --dport 53 -m length --length 64 
-m hashlimit --hashlimit-srcmask 32 --hashlimit-mode srcip --hashlimit-upto 
1/s --hashli$
iptables -A TO-NS1 -d <dns_server_IP> -p udp --dport 53 -m length --length 64 
-j DROP -m comment --comment "Drop all other 64-byte DNS queries"

## Rate limit ANY queries against the root zone
iptables -A TO-NS1 -d <dns_server_IP> -p udp --dport 53 -m length --length 56 
-m hashlimit --hashlimit-srcmask 32 --hashlimit-mode srcip --hashlimit-upto 
2/s --hashli$
iptables -A TO-NS1 -d <dns_server_IP> -p udp --dport 53 -m length --length 56 
-j DROP -m comment --comment "Drop all other 56-byte DNS queries"

Hope that helps,
Kenny




> ----- Start Original Message -----
> Sent: Mon, 20 May 2013 16:23:00 +0200
> From: Psilo <dns AT psilo.org>
> To: "discuss AT lists.opennicproject.org" <discuss AT lists.opennicproject.org>
> Subject: [opennic-discuss] iptables rules inefficient
> 
> > Dear OpenNIC,
> > 
> > I have setup my iptables rules according to the wiki but still getting a
> > lot of unwanted traffic with isc.org and ripe.net.
> > Here is the output of dnstop:
> > 
> > Query Name           Count      %
> > ---------------- --------- ------
> > ripe.net               590   54.2
> > isc.org                406   37.3
> > cnr.it                  13    1.2
> > akamaiedge.net           6    0.6
> > 140.in-addr.arpa         6    0.6
> > 125.in-addr.arpa         5    0.5
> > 2-0.pl                   5    0.5
> > 86.in-addr.arpa          5    0.5
> > multi-play.pl            4    0.4
> > multi-play.eu            4    0.4
> > net.pl                   4    0.4
> > 202.in-addr.arpa         3    0.3
> > 46.in-addr.arpa          3    0.3
> > 91.in-addr.arpa          3    0.3
> > 
> > I have setup the following iptables rules which were supposed to block 
> > this
> > traffic:
> > 
> > # isc.org
> > -A DNSFILTER -p udp -m string --hex-string
> > "|00000000000103697363036f726700|" --algo bm --dport 53 -j DROP
> > # ripe.net
> > -A DNSFILTER -p udp -m string --hex-string
> > "|0000000000010472697065036e6574|" --algo bm --dport 53 -j DROP
> > 
> > The "ddos.pl" script is neither efficient.
> > 
> > I am getting annoyed by my provider who wants to cut the server because of
> > this traffic.
> > 
> > Can you please help me figure what's wrong? Do you have a more aggressive
> > version of this filters?
> > 
> > Thanks
> > Psilo
> > 
> > 
> > --------
> > You are a member of the OpenNIC Discuss list. 
> > You may unsubscribe by emailing 
> > discuss-unsubscribe AT lists.opennicproject.org
> 
> ----- End Original Message -----

----- End Original Message -----