Scott Brynen wrote: > if you're not using the absolute latest bind, you can do a quick and nasty > using IPTABLES.
likewise ipfw. however, these would be request-based thresholds, which has an unacceptably high rate of both false positive and false negative. i strongly recommend against this approach when protecting remote victims. iptables and ipfw can be used with very high thresholds (20X the thresholds used for RRL) in order to protect a name server, but at that threshold you will do nothing to protect remote victims. paul re: > > Basically; if you get more than 12 hits in 75 seconds from the same IP, start > dropping them. There are few DNS situations where a client would make that > many requests back to back to back, and even if you start denying them, their > resolver (if it's real) should just switch over to another NS server. > > iptables -A INPUT -p udp -m udp -m recent -i eth0 --dport 53 --update > --seconds 75 --hitcount 12 --name DNSTHROTTLE --rsource -j DROP > iptables -A INPUT -p udp -m udp -m recent -i eth0 --dport 53 -j ACCEPT --set > --name DNSTHROTTLE --rsource > > >>> I recently help close down an open recursive resolver. It is still getting >>> a lot of queries for isc.org/ANY which get a refused response (unless >>> slipped/dropped by RRL). Granted, this doesn't amplify the attack since >>> REFUSED is a fairly small packet, but it is still traffic to the attacked >>> site. > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
