[Pdns-users] Rate limiting IPs or another protection against abuses
kostya.keeper at gmail.com
Tue Jun 4 08:27:20 UTC 2013
Sorry for my bad English.
You can try to analyze IP headers to find efficient strategy to block bad
requests. For example, I blocked bad packets by ID and TTL in IP header,
because some bad traffic had same ID=1 and strange TTL (246<TTL<249, by
default in most popular OSs TTL <= 128). In other case I used for filter
questions count in dns packets.
Filter by IPID=1 and 245<TTL<250:
iptables -I dns-filter -m u32 --u32 "5&0xFF=246:249 && 2&0xFFFF=0x1:0x1" -j
Filter by qdcount > 4 (this worked on 200 mbps flood with random source IP):
iptables -I dns-filter -m u32 --u32 "30&0xFFFF=5:0xFFFF" -j DROP
Expression for tcpdump to filter requests by question type, for example by
ANY (ID 255) :
dst port 53 && udp&0xf8=0 && udp[12:4]=65536 && udp[16:4]=0 &&
2013/6/3 Fernando Morgenstern <fernandomorgenstern.fm at gmail.com>
> I have an issue where several IPs are making thousands of MBOXFW requests.
> This overloads our Mysql backend and crashes our server.
> I tried to block them manually in our firewall, but there are lots of
> different IPs.
> Does Powerdns offers a way to rate limit IPs? Or is there another solution
> to this issue?
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users