Dns-operations mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

As a follow-up, I use Shorewall and wanted to include these rules in my
configuration.  I came up with the following lines for the 'rules' file:

DNS(ACCEPT)     net             $FW            
;rate=s:DNSTHROTTLE:30/min:10
DNS(DROP)       net             $FW

Please adjust your source and dest fields appropriately.  These lines
should come *before* any other rules you have to accept or DNAT your
incoming DNS packets, and the two lines must remain together so that any
IPs that exceed the rate-limit are dropped.

With these rules in place, I monitored an IP that has been hitting me
hard the last few days (somewhere around 50 queries per second,
sustained).  Immediately after restarting shorewall, the traffic from
this IP dropped to about 1 query every 2 seconds... much more manageable.


On 08/22/2012 10:28 PM, Brian Koontz wrote:
> All--
>
> Here are some iptables rules that Jeff and I have been testing to
> determine their effectiveness in reducing DNS abuse traffic.  Both of
> us have been seeing hit rates of 20-50/second from various IP's.  On
> my own T2, loads were as high as 4-5.  After implementing the
> following rules, my T2 load dropped to a steady 1.0, with a dramatic
> decrease in "bad" DNS traffic.
>
> Here are the rules we have been testing with:
>
> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m hashlimit --hashlimit-srcmask 24 \
>     --hashlimit-mode srcip --hashlimit-upto 30/m --hashlimit-burst 10 \
>     --hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j DROP
>
> Basic explanation (please note I am not an iptables expert, so my
> understanding may or may not be accurate):
>
> The first line might or might not be needed, and simply opens up port
> 53 to UDP traffic.
>
> The second line uses: 
>     '-m hashlimit' to specify hashlimit filtering.
>     '--hashlimit-scrmask 24' works in conjunction with '--hashlimit-mode
> srcip' to group incoming IPs in "net blocks" using a netmask of /24.
> This allows processing of multiple IPs that come from the same
> netblock but different hosts.  
>     '--hashlimit-upto 30/m' in conjunction with '-j ACCEPT' permits traffic 
> to pass that has an average rate of less than 30 packets per minute.  
>     '--hashlimit-burst 10' allows for 10 "free" packets before averaging 
> begins
>     '--hashlimit-name DNSTHROTTLE' provides access via 
> /proc/net/ipt_hashlimits/DNSTHROTTLE to the list of all blocked IP subnets 
> at any given moment in time.  You can use any name for this option.
>
> The third line is necessary to drop any packets that don't satisfy the
> preceding rule.
>
> I believe Jeff is going to follow up this email with equivalent
> shorewall rules.  Please report back with successes and/or failures.
> I'm sure the parameters I've chosen can use much more tweaking.
>
>   --Brian
>