[Pdns-users] iphop.info attack today, iptables advice

Leo Vandewoestijne pdns at unicycle.net
Tue Nov 25 16:33:49 UTC 2014 

> From: bert hubert <bert.hubert at netherlabs.nl>
> Subject: [Pdns-users] iphop.info attack today, iptables advice
> 
> Hi everybody, 
> 
> Today we've been working with multiple PowerDNS users on an unusually heavy
> DNS attack, this time targetting 'iphop.info'. Unusually, the attack is
> coming in very concentrated from a small number of IP addresses. 
> 
> Working with an impacted PowerDNS user, we found that the following works
> well on Linux:
> 
> # iptables -I INPUT -i eth0 -p udp --dport 53 -m hashlimit --hashlimit-mode srcip \
>   --hashlimit-srcmask 32 --hashlimit-above 100/s                        \
>   --hashlimit-burst 100 --hashlimit-name=bad -j DROP 
> 
> (adjust eth0 as required).
> 
> This limits individual clients to 100 queries/s, allowing a burst of up to
> 100 queries above that. 
> 
> This iptables rule is not PowerDNS specific by the way, and will also work
> for other nameservers.
> 
> In one attack we saw on the order of 1 million queries/second, and this
> iptables rule was completely effective. 


> If anyone has developed a similar rule for FreeBSD, please share!
> 
For TCP there is an example at http://www.openbsd.gr/faq/pf/filter.html
at the bottom of the paragraph #stateopts:

	table <abusive_hosts> persist
	block in quick from <abusive_hosts>

	pass in on $ext_if proto tcp to $dns_server port 53 flags S/SA keep state \
	  (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush)

After reading the entire paragaraph it's unclear to me wether the other example does or doesn't work for UDP. 
The paragraph "Keeping State for UDP" seems to confirm it does.
'max-src-conn' is a TCP thing, but 'max-src-conn-rate' doesn't say so explicitly (but I'm affraid it is).
*IF* that works for UDP, then the (untested!) rule would be:

        pass in on $ext_if proto upd to $dns_server port 53 keep state \
          (max 200, source-track rule, max-src-nodes 100, max-src-states 3) 

...but likely you want different numbers;
for clearity I kept them identical to correspond with the manual's example.


-- 

Met vriendelijke groet,
With kind regards,


Leo Vandewoestijne

More information about the Pdns-users mailing list