I want to rate limit queries to mitigate threat of Polyakov-styled attack, but I can't find anything on iptables rate limiting based on bits, bytes, or Mb / time (as opposed to packets/time). I looked through the standard iptables extensions, and through the patch-o- matic offerings, and can't find the right tool. Assuming that the size of any single UDP packet in a query can change, up to the limit where it is refused in exchange for a tcp packet, I can't even see how the correct packets/time could be accurately inferred. Any recommendations?
(NOTE: Tried posting to netfilter list before posting here, but haven't gotten a response, and want to address this ASAP, so any expertise would be appreciated...) Thanks! Steven Stromer On Aug 12, 2008, at 11:15 AM, Chris Buxton wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Don't forget the Polyakov attack. Rate-limit your inbound traffic as > per Paul Vixie's recommendation (no more than 10 Mbit/s of inbound DNS > traffic), if necessary, using a firewall on your DNS server, or > possibly using an external DNS server. > > Chris Buxton > Professional Services > Men & Mice > > On Aug 12, 2008, at 7:08 AM, Paul A wrote: > >> Thanks Kevin, didn't know if doing random with iptables was going to >> make it >> harder to guess instead of just using the new bind with port >> randomization. >> >> So at this point I'm assuming that aside from using secure zones, >> using the >> new bind is all that can be done? >> >> paul > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iEYEARECAAYFAkihqREACgkQ0p/8Jp6Boi09uwCfem+soAjGYEy4abH2y6RxggMq > XX0AoKSru0q+ESnrptnQU+ClwRMuFGQC > =s6ZQ > -----END PGP SIGNATURE----- > >
