[Pdns-users] Rate limiting IPs or another protection against abuses

Kostya Keeper kostya.keeper at gmail.com
Tue Jun 4 08:27:20 UTC 2013


Sorry for my bad English.

You can try to analyze IP headers to find efficient strategy to block bad
requests. For example, I blocked bad packets by ID and TTL in IP header,
because some bad traffic had same ID=1 and strange TTL (246<TTL<249, by
default in most popular OSs  TTL <= 128). In other case I used for filter
questions count in dns packets.

Filter by IPID=1 and 245<TTL<250:
iptables -I dns-filter -m u32 --u32 "5&0xFF=246:249 && 2&0xFFFF=0x1:0x1" -j

Filter by qdcount > 4 (this worked on 200 mbps flood with random source IP):
iptables -I dns-filter -m u32 --u32 "30&0xFFFF=5:0xFFFF" -j DROP

Expression for tcpdump to filter requests by question type, for example by
ANY (ID 255) :
dst port 53 && udp[10]&0xf8=0 && udp[12:4]=65536 && udp[16:4]=0 &&

2013/6/3 Fernando Morgenstern <fernandomorgenstern.fm at gmail.com>

> Hi,
> I have an issue where several IPs are making thousands of MBOXFW requests.
> This overloads our Mysql backend and crashes our server.
> I tried to block them manually in our firewall, but there are lots of
> different IPs.
> Does Powerdns offers a way to rate limit IPs? Or is there another solution
> to this issue?
> Thanks.
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20130604/4ca8eec7/attachment-0001.html>

More information about the Pdns-users mailing list