Discuss mailing list

[Psilo <dns AT psilo.org>]

Thanks for your answer.

However I just found out the filter is actually efficient, just the dnstop tool captures the packets before they are filtered.

Now I use "dnstop eth0 -R" to see only DNS replies instead of queries, and there is nothing with "isc.org" or "ripe.net".

Sorry about this mistake.

2013/5/20 <kennytaylor AT runbox.com>

(sorry, hit the send button too early)

Hi Psilo,

I have been doing battle with the isc.org ANY queries for a month or so.  Those queries are all 64 bytes in length, so I set iptables rules to handle 64-byte packets differently.  Basically this:

- If packet length = 64, then allow up to 1/second per source IP    (matches isc.org ANY queries)
    - Drop all 64-byte packets in excess of above rule

- If packet length = 56, then allow up to 2/second per source IP   (matches root zone ANY queries)
    - Drop all 56-byte packets in excess of above rule
- Allow all other UDP DNS traffic

That has limited the attack traffic generated to around 500 kbit/sec, which is much more manageable.  Here's the raw iptables rules I'm using:

## Rate limit 64-byte queries (ANY against isc.org)
iptables -A TO-NS1 -d <dns_server_IP> -p udp --dport 53 -m length --length 64 -m hashlimit --hashlimit-srcmask 32 --hashlimit-mode srcip --hashlimit-upto 1/s --hashli$
iptables -A TO-NS1 -d <dns_server_IP> -p udp --dport 53 -m length --length 64 -j DROP -m comment --comment "Drop all other 64-byte DNS queries"

## Rate limit ANY queries against the root zone
iptables -A TO-NS1 -d <dns_server_IP> -p udp --dport 53 -m length --length 56 -m hashlimit --hashlimit-srcmask 32 --hashlimit-mode srcip --hashlimit-upto 2/s --hashli$
iptables -A TO-NS1 -d <dns_server_IP> -p udp --dport 53 -m length --length 56 -j DROP -m comment --comment "Drop all other 56-byte DNS queries"

Hope that helps,
Kenny

> ----- Start Original Message -----
> Sent: Mon, 20 May 2013 16:23:00 +0200
> From: Psilo <dns AT psilo.org>
> To: "discuss AT lists.opennicproject.org" <discuss AT lists.opennicproject.org>
> Subject: [opennic-discuss] iptables rules inefficient
>
> > Dear OpenNIC,
> >
> > I have setup my iptables rules according to the wiki but still getting a
> > lot of unwanted traffic with isc.org and ripe.net.
> > Here is the output of dnstop:
> >
> > Query Name           Count      %
> > ---------------- --------- ------
> > ripe.net               590   54.2
> > isc.org                406   37.3
> > cnr.it                  13    1.2
> > akamaiedge.net           6    0.6
> > 140.in-addr.arpa         6    0.6
> > 125.in-addr.arpa         5    0.5
> > 2-0.pl                   5    0.5
> > 86.in-addr.arpa          5    0.5
> > multi-play.pl            4    0.4
> > multi-play.eu            4    0.4
> > net.pl                   4    0.4
> > 202.in-addr.arpa         3    0.3
> > 46.in-addr.arpa          3    0.3
> > 91.in-addr.arpa          3    0.3
> >
> > I have setup the following iptables rules which were supposed to block this
> > traffic:
> >
> > # isc.org
> > -A DNSFILTER -p udp -m string --hex-string
> > "|00000000000103697363036f726700|" --algo bm --dport 53 -j DROP
> > # ripe.net
> > -A DNSFILTER -p udp -m string --hex-string
> > "|0000000000010472697065036e6574|" --algo bm --dport 53 -j DROP
> >
> > The "ddos.pl" script is neither efficient.
> >
> > I am getting annoyed by my provider who wants to cut the server because of
> > this traffic.
> >
> > Can you please help me figure what's wrong? Do you have a more aggressive
> > version of this filters?
> >
> > Thanks
> > Psilo
> >
> >
> > --------
> > You are a member of the OpenNIC Discuss list.
> > You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
>
> ----- End Original Message -----

----- End Original Message -----


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org