Dns-operations mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

We've been discussing it.  I am currently running both right now to see
if there are any unforeseen interactions, or if there is any way to
improve ddos.pl with hashlimits in mind.  The hashlimit rules and
ddos.pl limit traffic in very different ways, so at first glance, it
appears that running both together gives good all-around protection from
flooding and attacks.


On 08/23/2012 06:12 AM, David Norman wrote:
> Is this not appropriate for ddos.pl?
>
> On Aug 23, 2012, at 12:28 AM, Brian Koontz <brian AT opennicproject.org> wrote:
>
>> All--
>>
>> Here are some iptables rules that Jeff and I have been testing to
>> determine their effectiveness in reducing DNS abuse traffic.  Both of
>> us have been seeing hit rates of 20-50/second from various IP's.  On
>> my own T2, loads were as high as 4-5.  After implementing the
>> following rules, my T2 load dropped to a steady 1.0, with a dramatic
>> decrease in "bad" DNS traffic.
>>
>> Here are the rules we have been testing with:
>>
>> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j 
>> ACCEPT
>> -A RH-Firewall-1-INPUT -p udp -m hashlimit --hashlimit-srcmask 24 \
>>    --hashlimit-mode srcip --hashlimit-upto 30/m --hashlimit-burst 10 \
>>    --hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j DROP
>>
>> Basic explanation (please note I am not an iptables expert, so my
>> understanding may or may not be accurate):
>>
>> The first line might or might not be needed, and simply opens up port
>> 53 to UDP traffic.
>>
>> The second line uses: 
>>    '-m hashlimit' to specify hashlimit filtering.
>>    '--hashlimit-scrmask 24' works in conjunction with '--hashlimit-mode
>> srcip' to group incoming IPs in "net blocks" using a netmask of /24.
>> This allows processing of multiple IPs that come from the same
>> netblock but different hosts.  
>>    '--hashlimit-upto 30/m' in conjunction with '-j ACCEPT' permits traffic 
>> to pass that has an average rate of less than 30 packets per minute.  
>>    '--hashlimit-burst 10' allows for 10 "free" packets before averaging 
>> begins
>>    '--hashlimit-name DNSTHROTTLE' provides access via 
>> /proc/net/ipt_hashlimits/DNSTHROTTLE to the list of all blocked IP subnets 
>> at any given moment in time.  You can use any name for this option.
>>
>> The third line is necessary to drop any packets that don't satisfy the
>> preceding rule.
>>
>> I believe Jeff is going to follow up this email with equivalent
>> shorewall rules.  Please report back with successes and/or failures.
>> I'm sure the parameters I've chosen can use much more tweaking.
>>
>>  --Brian
>>
>> -- 
>> OpenNIC (the sequel) co-founder and wikimaster
>> IRC: Freenode.net channel #opennic
>>
>> ----
>> To unsubscribe, email dns-operations-unsubscribe AT lists.opennicproject.org
>
> ----
> To unsubscribe, email dns-operations-unsubscribe AT lists.opennicproject.org