Hello! Sorry for my bad English.
You can try to analyze IP headers to find efficient strategy to block bad requests. For example, I blocked bad packets by ID and TTL in IP header, because some bad traffic had same ID=1 and strange TTL (246<TTL<249, by default in most popular OSs TTL <= 128). In other case I used for filter questions count in dns packets. Filter by IPID=1 and 245<TTL<250: iptables -I dns-filter -m u32 --u32 "5&0xFF=246:249 && 2&0xFFFF=0x1:0x1" -j DROP Filter by qdcount > 4 (this worked on 200 mbps flood with random source IP): iptables -I dns-filter -m u32 --u32 "30&0xFFFF=5:0xFFFF" -j DROP Expression for tcpdump to filter requests by question type, for example by ANY (ID 255) : dst port 53 && udp[10]&0xf8=0 && udp[12:4]=65536 && udp[16:4]=0 && udp[udp[4:2]-3]=255 2013/6/3 Fernando Morgenstern <[email protected]> > Hi, > > I have an issue where several IPs are making thousands of MBOXFW requests. > > This overloads our Mysql backend and crashes our server. > > I tried to block them manually in our firewall, but there are lots of > different IPs. > > Does Powerdns offers a way to rate limit IPs? Or is there another solution > to this issue? > > Thanks. > > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users > >
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
