Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] iptables rules inefficient

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] iptables rules inefficient


Chronological Thread 
    < Chronological >      < Thread >
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] iptables rules inefficient
  • Date: Tue, 21 May 2013 13:08:57 -0600
Ah ok , that makes sense. I only see the byte-count that tcpdump gives me.
Hmm, this makes me wonder if there's something in the headers that I'm missing which might give more info about the origin of these packets?


On 05/21/2013 09:44 AM, kennytaylor AT runbox.com wrote:
Heh yes. The ISC.org packets I'm receiving look like this:

IP Header: 20 bytes
UDP Header: 8 bytes
UDP Payload: 36 bytes

So we're probably seeing the same thing. The iptables rule just wants me to
call that a 64-byte packet :)


----- Start Original Message -----
Sent: Tue, 21 May 2013 09:07:02 -0600
From: Jeff Taylor <shdwdrgn AT sourpuss.net>
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] iptables rules inefficient

Your packets must be different than the ones I've seen. The isc.org
packets I typically get are 36 bytes in length. I am also getting
flooded with ANY queries for the root zone which are 28 bytes. It would
be nice if the little script kiddies were smart enough to realize their
flood has been blocked for the last 3 months, but I guess that would
require them to poses more intelligence than pointing&clicking.


On 05/20/2013 09:04 AM, kennytaylor AT runbox.com wrote:
Hi Psilo,

I have been doing battle with the isc.org ANY queries for a month or so.
Those queries are all 64 bytes in length, so I set iptables rules to handle
64-byte packets differently. Basically this:

- If packet length = 64, then allow up to 1/second per source IP (matches
isc.org ANY queries)
- Drop all 64-byte packets in excess of above rule
- If packet length = 56, then allow up to 1/second per source IP

----- Start Original Message -----
Sent: Mon, 20 May 2013 16:23:00 +0200
From: Psilo <dns AT psilo.org>
To: "discuss AT lists.opennicproject.org" <discuss AT lists.opennicproject.org>
Subject: [opennic-discuss] iptables rules inefficient

Dear OpenNIC,

I have setup my iptables rules according to the wiki but still getting a
lot of unwanted traffic with isc.org and ripe.net.
Here is the output of dnstop:

Query Name Count %
---------------- --------- ------
ripe.net 590 54.2
isc.org 406 37.3
cnr.it 13 1.2
akamaiedge.net 6 0.6
140.in-addr.arpa 6 0.6
125.in-addr.arpa 5 0.5
2-0.pl 5 0.5
86.in-addr.arpa 5 0.5
multi-play.pl 4 0.4
multi-play.eu 4 0.4
net.pl 4 0.4
202.in-addr.arpa 3 0.3
46.in-addr.arpa 3 0.3
91.in-addr.arpa 3 0.3

I have setup the following iptables rules which were supposed to block this
traffic:

# isc.org
-A DNSFILTER -p udp -m string --hex-string
"|00000000000103697363036f726700|" --algo bm --dport 53 -j DROP
# ripe.net
-A DNSFILTER -p udp -m string --hex-string
"|0000000000010472697065036e6574|" --algo bm --dport 53 -j DROP

The "ddos.pl" script is neither efficient.

I am getting annoyed by my provider who wants to cut the server because of
this traffic.

Can you please help me figure what's wrong? Do you have a more aggressive
version of this filters?

Thanks
Psilo


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
----- End Original Message -----


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
----- End Original Message -----


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org


Archive powered by MHonArc 2.6.19.

Top of Page