[Pdns-users] Rate Limiting Against DDOS
Alejandro Adroher Mellado
alejandro.adroher at omniaccess.com
Thu Jan 14 08:45:29 UTC 2016
Morning Everyone!!
I’m trying to rate limit the number of queries per second allowed on my DNS recursor, using iptables.
I’m using a modified script who works perfectly, but I’m limited for one of the settings.
Here is the script.
:INPUT ACCEPT [548:41223]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4439:1270057]
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m recent --set --name dnsanyquery --mask 255.255.255.255 --rsource -j LOG --log-prefix "IPTables-Dropped: "
-A INPUT -p udp -m udp --dport 53 -m recent --rcheck --seconds 1 --hitcount 20 --name dnsanyquery --mask 255.255.255.255 --rsource -j LOG
COMMIT
The next combination (--seconds 1 --hitcount 20) allow a max of 20 qps.
The fact is that the hitcount does not allow to use a number upper than 20. An I’m looking for some rules which allow me to rate limit over 200 or 300 qps.
And a cannot find it!!
As you can see, I’m only logging to a file these queries up to 20 per second, after that I’m using fail2band to block these logged queries. Someone knows a better way to block queries upper to 300 per second.
I’m losing a lot of time. Rate limiting to prevent DDos is killing my brain. :-)
How do you rate limit your DNS servers?
Thanks in advance.
Alejandro.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160114/a0703aec/attachment.html>
More information about the Pdns-users
mailing list