On 2012-06-10 8:45 AM, Jim Reid wrote: > On 10 Jun 2012, at 09:19, DTNX Postmaster wrote: >> The iptables rules mentioned in the first comment work well for us > > Well for starters, I [dw]on't use Linux. The server runs FreeBSD.
what f-root has done for the last ten years (also on freebsd) is: add pipe 1 udp from any to any 53 in pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 400Kbit/s queue 3 add pipe 2 tcp from any to any 53 in pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3 note, this approach, and the iptables approach, are inadequate since they look only at the query ip, whereas rate limiting has to take the desired response into account. i say desired response because one of the myriad attack formats of interest is <randomstring>.<domain> where "domain" is dnssec signed. here the desired response will be of the form "NXDOMAIN, proof from 'domain'". these have to be rate limited also, and there's no way to do that upstream of the name server. which brings me to: > Besides, the damage is done by the time these packets hit the server's > ethernet card. At ~4000qps inbound, this is close to saturating the > server's VLAN in the data centre. The traffic needs to be blocked > before it reaches that. ... i don't agree. 4Kqps is no big deal in input, it's the output that would cost you money. and as described above, there's no accurate rate limiting possible upstream of the name server; one has to know the proposed response before one can decide whether a given response ought to be dropped. paul _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs