[Pdns-users] Rate limiting IPs or another protection against abuses
Kostya Keeper
kostya.keeper at gmail.com
Tue Jun 4 08:27:20 UTC 2013
Hello!
Sorry for my bad English.
You can try to analyze IP headers to find efficient strategy to block bad
requests. For example, I blocked bad packets by ID and TTL in IP header,
because some bad traffic had same ID=1 and strange TTL (246<TTL<249, by
default in most popular OSs TTL <= 128). In other case I used for filter
questions count in dns packets.
Filter by IPID=1 and 245<TTL<250:
iptables -I dns-filter -m u32 --u32 "5&0xFF=246:249 && 2&0xFFFF=0x1:0x1" -j
DROP
Filter by qdcount > 4 (this worked on 200 mbps flood with random source IP):
iptables -I dns-filter -m u32 --u32 "30&0xFFFF=5:0xFFFF" -j DROP
Expression for tcpdump to filter requests by question type, for example by
ANY (ID 255) :
dst port 53 && udp[10]&0xf8=0 && udp[12:4]=65536 && udp[16:4]=0 &&
udp[udp[4:2]-3]=255
2013/6/3 Fernando Morgenstern <fernandomorgenstern.fm at gmail.com>
> Hi,
>
> I have an issue where several IPs are making thousands of MBOXFW requests.
>
> This overloads our Mysql backend and crashes our server.
>
> I tried to block them manually in our firewall, but there are lots of
> different IPs.
>
> Does Powerdns offers a way to rate limit IPs? Or is there another solution
> to this issue?
>
> Thanks.
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20130604/4ca8eec7/attachment-0001.html>
More information about the Pdns-users
mailing list