[Pdns-announce] iphop.info attack today, iptables advice

bert hubert bert.hubert at netherlabs.nl
Mon Nov 17 20:09:37 UTC 2014

Hi everybody, 

Today we've been working with multiple PowerDNS users on an unusually heavy
DNS attack, this time targetting 'iphop.info'. Unusually, the attack is
coming in very concentrated from a small number of IP addresses. 

Working with an impacted PowerDNS user, we found that the following works
well on Linux:

# iptables -I INPUT -i eth0 -p udp --dport 53 -m hashlimit --hashlimit-mode srcip \
  --hashlimit-srcmask 32 --hashlimit-above 100/s                        \
  --hashlimit-burst 100 --hashlimit-name=bad -j DROP 

(adjust eth0 as required).

This limits individual clients to 100 queries/s, allowing a burst of up to
100 queries above that. 

This iptables rule is not PowerDNS specific by the way, and will also work
for other nameservers.

In one attack we saw on the order of 1 million queries/second, and this
iptables rule was completely effective.

If anyone has developed a similar rule for FreeBSD, please share!

Kind regards,

Bert Hubert

PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372

More information about the Pdns-announce mailing list