<div dir="ltr"><div><div>Hello!<br><br></div><div>Sorry for my bad English.<br></div><div><br></div>You can try to analyze IP headers to find efficient strategy to block
bad requests. For example, I blocked bad packets by ID and TTL in IP
header, because some bad traffic had same ID=1 and strange TTL
(246<TTL<249, by default in most popular OSs TTL <= 128). In
other case I used for filter questions count in dns packets.<br><br>Filter by IPID=1 and 245<TTL<250:<br>iptables -I dns-filter -m u32 --u32 "5&0xFF=246:249 && 2&0xFFFF=0x1:0x1" -j DROP<br>
<br>Filter by qdcount > 4 (this worked on 200 mbps flood with random source IP):<br>iptables -I dns-filter -m u32 --u32 "30&0xFFFF=5:0xFFFF" -j DROP<br><br></div>Expression for tcpdump to filter requests by question type, for example by ANY (ID 255) :<br>
dst port 53 && udp[10]&0xf8=0 && udp[12:4]=65536 && udp[16:4]=0 && udp[udp[4:2]-3]=255</div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/6/3 Fernando Morgenstern <span dir="ltr"><<a href="mailto:fernandomorgenstern.fm@gmail.com" target="_blank">fernandomorgenstern.fm@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I have an issue where several IPs are making thousands of MBOXFW requests.</div>
<div>
<br></div><div>This overloads our Mysql backend and crashes our server.</div><div>
<br></div><div>I tried to block them manually in our firewall, but there are lots of different IPs.</div><div><br></div><div>Does Powerdns offers a way to rate limit IPs? Or is there another solution to this issue?</div>
<div><br></div><div>Thanks.</div></div>
<br>_______________________________________________<br>
Pdns-users mailing list<br>
<a href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a><br>
<a href="http://mailman.powerdns.com/mailman/listinfo/pdns-users" target="_blank">http://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
<br></blockquote></div><br></div>