[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Open DNS Resolver reflection attack Mitigation
- Subject: Open DNS Resolver reflection attack Mitigation
- From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
- Date: Fri, 8 Jun 2012 21:26:05 +0200
- In-reply-to: <[email protected]>
- References: <[email protected]>
On Fri, Jun 08, 2012 at 03:09:04PM -0400,
Joe Maimon <jmaimon at ttec.com> wrote
a message of 7 lines which said:
> Is there any publicly available rate limiting for BIND?
Not as far as I know. I'm not sure it would be a good idea. BIND is
feature-rich enough.
> How about host-based IDS that can be used to trigger rtbh or iptables?
What I do (I manage a small and experimental open resolver) is to use
iptables this way (porting it to IPv6 is left as an exercice):
iptables -A INPUT -p udp --dport 53 -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
So, every prefix (length 28) can send 20 r/s with allowed bursts of
100. This requires a Netfilter >= 1.4 (recent options of module
hashlimit).
Most iptables recipes that you find on the Web are not well suited to
DNS. They use connection tracking, for instance, while, with the DNS,
every request/response is a "connection".
I have a more complete article on this setup but in french only
<http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html>.
> Google and Level3 manage to run open resolvers, why cant I?
You have less money :-)