Dns-operations mailing list

[Falk Husemann <josen AT paketsequenz.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

from observations and my own statistics I came up with a simple rate
limiter for iptables I use here. I has helped block some Zombies from
downing my home leased-line. Maybe it can help you too?

<snip>
#!/bin/bash
# This script limits the queries per second to 5/s
# with a burst rate of 15/s and does not require
# buffer space changes

# Requests per second
RQS="15"

# Requests per 7 seconds
RQH="35"

iptables --flush
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent
- --set --name DNSQF --rsource
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent
- --update --seconds 1 --hitcount ${RQS} --name DNSQF --rsource -j DROP
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent
- --set --name DNSHF --rsource
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent
- --update --seconds 7 --hitcount ${RQH} --name DNSHF --rsource -j DROP
</snap>

It doesn't requiring tuning or recompiling your kernel and works with
Debian squeeze stock. It allows for peaking requests, which I
sometimes observe here.

You _may_ request 15 hostnames in a second, if this doesn't bring you
over 35 requests in seven seconds (5/sec).

Was too lazy to use Jeffs script, but it looks really well written :)

Greets,
Falk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP7DfMAAoJEPPG1NATKThtGR0H/0fVzKTVWJckRuNjLib6E6Vi
lrNxdUUrPgStqq8nlE2LrLEQCGTUqxdO2fIN8vI1ami8lBAvFgcmP/vtqt/Fq8Ji
5Bk26Da3QT4d34Pr/QUY7ZF/pKBeBkWmNcStibx0XJLR0v7pfRCLWBDhnv4ZIXiS
zy848tH1akkvVeUbzxTDWi9VCSfmN+/eZmOE/CN98MYlYAeHCFefi3Faksld0gpP
Sk9t4rZtO0shJ6ZHv9AO3t0jZLtUxFrIAzhsOsEMgPj/26Lv9hx8aRBITAx2FqE9
44Qkxr1JQky6Tf4qPnpBk8tgQdVjYmcWu1NcvoOvYFaUYMZR3F5s7jyMX74/gL8=
=utzs
-----END PGP SIGNATURE-----