[Pdns-users] DNS amplification attack advice

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed May 30 07:52:17 UTC 2012

On Tue, May 29, 2012 at 04:32:23PM +0200,
 kalpesh thaker <kalpesh at webdevworld.com> wrote 
 a message of 252 lines which said:

> we have been, and still are currently the victims of a terrible DNS
> DOS amplification attack.
> May 28 15:01:13 ns1 pdns[9603]: Not authoritative for 'filezilla.de
> <http://filezilla.de>', sending servfail to
> (recursion was desired)

Where is the amplification? A SERVFAIL response is not larger than the
incoming request. Real amplification attacks query authoritative
servers (with the domains they manage) or open recursors.

> - setup IPtables with a chain to reject udp/tcp connections to port
> 53 if they create more than 7 connections per second

This requires connection tracking and could kill your machine if the
server has many different clients (specially for UDP where
"connections" are extremely short but Linux connection tracking
remembers them for a long time). 

I prefer the hashlimit module, it still has state but much less, and
it allows burstiness (this is very important on the public Internet):

iptables -A INPUT -p udp --dport 53 -m hashlimit \
   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

More information about the Pdns-users mailing list