dns-operations AT lists.opennicproject.org
Subject: Dns-operations mailing list
List archive
[opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic
Chronological Thread
- From: Brian Koontz <brian AT opennicproject.org>
- To: OpenNIC DNS Ops <dns-operations AT lists.opennicproject.org>
- Subject: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic
- Date: Wed, 22 Aug 2012 23:28:31 -0500
All--
Here are some iptables rules that Jeff and I have been testing to
determine their effectiveness in reducing DNS abuse traffic. Both of
us have been seeing hit rates of 20-50/second from various IP's. On
my own T2, loads were as high as 4-5. After implementing the
following rules, my T2 load dropped to a steady 1.0, with a dramatic
decrease in "bad" DNS traffic.
Here are the rules we have been testing with:
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m hashlimit --hashlimit-srcmask 24 \
--hashlimit-mode srcip --hashlimit-upto 30/m --hashlimit-burst 10 \
--hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j DROP
Basic explanation (please note I am not an iptables expert, so my
understanding may or may not be accurate):
The first line might or might not be needed, and simply opens up port
53 to UDP traffic.
The second line uses:
'-m hashlimit' to specify hashlimit filtering.
'--hashlimit-scrmask 24' works in conjunction with '--hashlimit-mode
srcip' to group incoming IPs in "net blocks" using a netmask of /24.
This allows processing of multiple IPs that come from the same
netblock but different hosts.
'--hashlimit-upto 30/m' in conjunction with '-j ACCEPT' permits traffic
to pass that has an average rate of less than 30 packets per minute.
'--hashlimit-burst 10' allows for 10 "free" packets before averaging
begins
'--hashlimit-name DNSTHROTTLE' provides access via
/proc/net/ipt_hashlimits/DNSTHROTTLE to the list of all blocked IP subnets at
any given moment in time. You can use any name for this option.
The third line is necessary to drop any packets that don't satisfy the
preceding rule.
I believe Jeff is going to follow up this email with equivalent
shorewall rules. Please report back with successes and/or failures.
I'm sure the parameters I've chosen can use much more tweaking.
--Brian
--
OpenNIC (the sequel) co-founder and wikimaster
IRC: Freenode.net channel #opennic
- [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, Brian Koontz, 08/23/2012
- Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, Jeff Taylor, 08/23/2012
- Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, David Norman, 08/23/2012
- Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, Jeff Taylor, 08/23/2012
- Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, Brian Koontz, 08/24/2012
- Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, Jeff Taylor, 08/24/2012
Archive powered by MHonArc 2.6.19.