From bert.hubert at netherlabs.nl  Mon Nov 17 20:09:37 2014
From: bert.hubert at netherlabs.nl (bert hubert)
Date: Mon, 17 Nov 2014 21:09:37 +0100
Subject: [Pdns-announce] iphop.info attack today, iptables advice
Message-ID: <20141117200937.GA646@xs.powerdns.com>

Hi everybody, 

Today we've been working with multiple PowerDNS users on an unusually heavy
DNS attack, this time targetting 'iphop.info'. Unusually, the attack is
coming in very concentrated from a small number of IP addresses. 

Working with an impacted PowerDNS user, we found that the following works
well on Linux:

# iptables -I INPUT -i eth0 -p udp --dport 53 -m hashlimit --hashlimit-mode srcip \
  --hashlimit-srcmask 32 --hashlimit-above 100/s                        \
  --hashlimit-burst 100 --hashlimit-name=bad -j DROP 

(adjust eth0 as required).

This limits individual clients to 100 queries/s, allowing a burst of up to
100 queries above that. 

This iptables rule is not PowerDNS specific by the way, and will also work
for other nameservers.

In one attack we saw on the order of 1 million queries/second, and this
iptables rule was completely effective.

If anyone has developed a similar rule for FreeBSD, please share!


Kind regards,


Bert Hubert
PowerDNS

-- 
PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372



From bert.hubert at netherlabs.nl  Mon Nov 17 20:09:37 2014
From: bert.hubert at netherlabs.nl (bert hubert)
Date: Mon, 17 Nov 2014 21:09:37 +0100
Subject: [Pdns-announce] iphop.info attack today, iptables advice
Message-ID: <20141117200937.GA646@xs.powerdns.com>

Hi everybody, 

Today we've been working with multiple PowerDNS users on an unusually heavy
DNS attack, this time targetting 'iphop.info'. Unusually, the attack is
coming in very concentrated from a small number of IP addresses. 

Working with an impacted PowerDNS user, we found that the following works
well on Linux:

# iptables -I INPUT -i eth0 -p udp --dport 53 -m hashlimit --hashlimit-mode srcip \
  --hashlimit-srcmask 32 --hashlimit-above 100/s                        \
  --hashlimit-burst 100 --hashlimit-name=bad -j DROP 

(adjust eth0 as required).

This limits individual clients to 100 queries/s, allowing a burst of up to
100 queries above that. 

This iptables rule is not PowerDNS specific by the way, and will also work
for other nameservers.

In one attack we saw on the order of 1 million queries/second, and this
iptables rule was completely effective.

If anyone has developed a similar rule for FreeBSD, please share!


Kind regards,


Bert Hubert
PowerDNS

-- 
PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372



From bert.hubert at netherlabs.nl  Mon Nov 17 20:09:37 2014
From: bert.hubert at netherlabs.nl (bert hubert)
Date: Mon, 17 Nov 2014 21:09:37 +0100
Subject: [Pdns-announce] iphop.info attack today, iptables advice
Message-ID: <20141117200937.GA646@xs.powerdns.com>

Hi everybody, 

Today we've been working with multiple PowerDNS users on an unusually heavy
DNS attack, this time targetting 'iphop.info'. Unusually, the attack is
coming in very concentrated from a small number of IP addresses. 

Working with an impacted PowerDNS user, we found that the following works
well on Linux:

# iptables -I INPUT -i eth0 -p udp --dport 53 -m hashlimit --hashlimit-mode srcip \
  --hashlimit-srcmask 32 --hashlimit-above 100/s                        \
  --hashlimit-burst 100 --hashlimit-name=bad -j DROP 

(adjust eth0 as required).

This limits individual clients to 100 queries/s, allowing a burst of up to
100 queries above that. 

This iptables rule is not PowerDNS specific by the way, and will also work
for other nameservers.

In one attack we saw on the order of 1 million queries/second, and this
iptables rule was completely effective.

If anyone has developed a similar rule for FreeBSD, please share!


Kind regards,


Bert Hubert
PowerDNS

-- 
PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372



From bert.hubert at netherlabs.nl  Mon Nov 17 20:09:37 2014
From: bert.hubert at netherlabs.nl (bert hubert)
Date: Mon, 17 Nov 2014 21:09:37 +0100
Subject: [Pdns-announce] iphop.info attack today, iptables advice
Message-ID: <20141117200937.GA646@xs.powerdns.com>

Hi everybody, 

Today we've been working with multiple PowerDNS users on an unusually heavy
DNS attack, this time targetting 'iphop.info'. Unusually, the attack is
coming in very concentrated from a small number of IP addresses. 

Working with an impacted PowerDNS user, we found that the following works
well on Linux:

# iptables -I INPUT -i eth0 -p udp --dport 53 -m hashlimit --hashlimit-mode srcip \
  --hashlimit-srcmask 32 --hashlimit-above 100/s                        \
  --hashlimit-burst 100 --hashlimit-name=bad -j DROP 

(adjust eth0 as required).

This limits individual clients to 100 queries/s, allowing a burst of up to
100 queries above that. 

This iptables rule is not PowerDNS specific by the way, and will also work
for other nameservers.

In one attack we saw on the order of 1 million queries/second, and this
iptables rule was completely effective.

If anyone has developed a similar rule for FreeBSD, please share!


Kind regards,


Bert Hubert
PowerDNS

-- 
PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372