Hi everybody, Today we've been working with multiple PowerDNS users on an unusually heavy DNS attack, this time targetting 'iphop.info'. Unusually, the attack is coming in very concentrated from a small number of IP addresses.
Working with an impacted PowerDNS user, we found that the following works well on Linux: # iptables -I INPUT -i eth0 -p udp --dport 53 -m hashlimit --hashlimit-mode srcip \ --hashlimit-srcmask 32 --hashlimit-above 100/s \ --hashlimit-burst 100 --hashlimit-name=bad -j DROP (adjust eth0 as required). This limits individual clients to 100 queries/s, allowing a burst of up to 100 queries above that. This iptables rule is not PowerDNS specific by the way, and will also work for other nameservers. In one attack we saw on the order of 1 million queries/second, and this iptables rule was completely effective. If anyone has developed a similar rule for FreeBSD, please share! Kind regards, Bert Hubert PowerDNS -- PowerDNS Website: http://www.powerdns.com/ Contact us by phone on +31-15-7850372 _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
