Hello Axel, Check out fastnetmon if you have SFLOW (Preferably ) or Netflow support on your switches /or routers facing external providers you can put pps per second thresholds on .
but bear in mind if the amount of bandwdith being sent to your router exceeds capacity you need to send a BGP community to do remote Triggered Black Hole to your providers... RTBH ... (BGP Communities) etc.. Best of Luck On Fri, 7 May 2021 at 10:10, Axel Rau <axel....@chaos1.de> wrote: > > > > > Am 05.05.2021 um 16:20 schrieb Stuart Henderson <s...@spacehopper.org > > <mailto:s...@spacehopper.org>>: > > > > This is usually best dealt with in your DNS server software e.g. by using > > the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config > > section in BIND. > > Yes, I have this in place now, but I try to let the fw drop them: > This seems not working: > udp_inbound_dns_options = 'keep state (max-src-conn-rate 120/60, overload > <bruteforce> flush global )' > … > pass in quick on $red_if proto udp from any to { $ns4, $ns5 } \ > port { domain } tag RED_DMZ $udp_inbound_dns_options label "dns > inbound" > > Is this not possible with udp? > > Axel > --- > PGP-Key: CDE74120 computing @ chaos claudius > -- Kindest regards, Tom Smyth.