dns-operations AT lists.opennicproject.org
Subject: Dns-operations mailing list
List archive
Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic
Chronological Thread
- From: David Norman <deekayen AT deekayen.net>
- To: "dns-operations AT lists.opennicproject.org" <dns-operations AT lists.opennicproject.org>
- Subject: Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic
- Date: Thu, 23 Aug 2012 08:12:48 -0400
Is this not appropriate for ddos.pl?
On Aug 23, 2012, at 12:28 AM, Brian Koontz <brian AT opennicproject.org> wrote:
> All--
>
> Here are some iptables rules that Jeff and I have been testing to
> determine their effectiveness in reducing DNS abuse traffic. Both of
> us have been seeing hit rates of 20-50/second from various IP's. On
> my own T2, loads were as high as 4-5. After implementing the
> following rules, my T2 load dropped to a steady 1.0, with a dramatic
> decrease in "bad" DNS traffic.
>
> Here are the rules we have been testing with:
>
> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m hashlimit --hashlimit-srcmask 24 \
> --hashlimit-mode srcip --hashlimit-upto 30/m --hashlimit-burst 10 \
> --hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j DROP
>
> Basic explanation (please note I am not an iptables expert, so my
> understanding may or may not be accurate):
>
> The first line might or might not be needed, and simply opens up port
> 53 to UDP traffic.
>
> The second line uses:
> '-m hashlimit' to specify hashlimit filtering.
> '--hashlimit-scrmask 24' works in conjunction with '--hashlimit-mode
> srcip' to group incoming IPs in "net blocks" using a netmask of /24.
> This allows processing of multiple IPs that come from the same
> netblock but different hosts.
> '--hashlimit-upto 30/m' in conjunction with '-j ACCEPT' permits traffic
> to pass that has an average rate of less than 30 packets per minute.
> '--hashlimit-burst 10' allows for 10 "free" packets before averaging
> begins
> '--hashlimit-name DNSTHROTTLE' provides access via
> /proc/net/ipt_hashlimits/DNSTHROTTLE to the list of all blocked IP subnets
> at any given moment in time. You can use any name for this option.
>
> The third line is necessary to drop any packets that don't satisfy the
> preceding rule.
>
> I believe Jeff is going to follow up this email with equivalent
> shorewall rules. Please report back with successes and/or failures.
> I'm sure the parameters I've chosen can use much more tweaking.
>
> --Brian
>
> --
> OpenNIC (the sequel) co-founder and wikimaster
> IRC: Freenode.net channel #opennic
>
> ----
> To unsubscribe, email dns-operations-unsubscribe AT lists.opennicproject.org
- [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, Brian Koontz, 08/23/2012
- Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, Jeff Taylor, 08/23/2012
- Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, David Norman, 08/23/2012
- Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, Jeff Taylor, 08/23/2012
- Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, Brian Koontz, 08/24/2012
- Re: [opennic-dns-operations] Using iptables and hashlimits to throttle DNS abuse traffic, Jeff Taylor, 08/24/2012
Archive powered by MHonArc 2.6.19.