Dns-operations mailing list

[Brian Koontz <brian AT opennicproject.org>]

On Thu, Aug 23, 2012 at 08:12:48AM -0400, David Norman wrote:
> Is this not appropriate for ddos.pl?

One big difference is that ddos.pl operates on the entire IP, while
hashlimits allow multiple IPs from the same subnet (specified by
hashlimit-srcmask) to be grouped together for filtering purposes.

  --Brian

> On Aug 23, 2012, at 12:28 AM, Brian Koontz <brian AT opennicproject.org> wrote:
> 
> > All--
> > 
> > Here are some iptables rules that Jeff and I have been testing to
> > determine their effectiveness in reducing DNS abuse traffic.  Both of
> > us have been seeing hit rates of 20-50/second from various IP's.  On
> > my own T2, loads were as high as 4-5.  After implementing the
> > following rules, my T2 load dropped to a steady 1.0, with a dramatic
> > decrease in "bad" DNS traffic.
> > 
> > Here are the rules we have been testing with:
> > 
> > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j 
> > ACCEPT
> > -A RH-Firewall-1-INPUT -p udp -m hashlimit --hashlimit-srcmask 24 \
> >    --hashlimit-mode srcip --hashlimit-upto 30/m --hashlimit-burst 10 \
> >    --hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j DROP
-- 
OpenNIC (the sequel) co-founder and wikimaster
IRC: Freenode.net channel #opennic