subject:"How to Limit DNS Request per ip source \?"

How to Limit DNS Request per ip source ?

2013-01-14 Thread Gaurav Kansal

Dear All,

 

I want to limit the dns request per ip source through iptables.

 

I tried the following commands, but unfortunately didn't succeed. 

 

-A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -m state --state NEW -m
recent --set --name DNSQF --rsource

-A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -m state --state NEW -m
recent --update --seconds 60 --hitcount 5 --name DNSQF --rsource -j DROP

 

 

If anyone is using iptables for limiting DNS Query per IP, then pl. help me
out.

 

 

Thanks and Regards,

Gaurav Kansal

Mob - 9910118448

 

Happy New Year 2013.

IPv4 is Over,

Are your ready for new Network.

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to Limit DNS Request per ip source ?

2013-01-14 Thread Stephane Bortzmeyer

On Mon, Jan 14, 2013 at 06:36:44PM +0530,
 Gaurav Kansal gaurav.kan...@nic.in wrote 
 a message of 156 lines which said:

 I tried the following commands, but unfortunately didn't succeed. 

Why do you want to limit? If it is against a DoS attack, I warn you
that most Netfilter modules (for instance, state) require allocating
a state on the firewall and a clever attack can fill the memory of the
machine.

 If anyone is using iptables for limiting DNS Query per IP, 

If you have a DNS server used for reflection+amplification attacks
*and* it is a Linux machine *and* you have Netfilter = 1.4 *and* you
cannot or does not want to install the patches for BIND or NSD to do
rate-limiting (they may provide a better result) *and* the attack is
over IPv4 *and* the attacker uses only a few domain names, you could
be interested in the technique we use. Disclaimer: it works for us, it
will not work for ever, it works now.

The idea is to use the Netfilter u32 module to recognize the attack,
then to rate-limit it with the Netfilter hashlimit module.

First, get the iptables rules generation script
http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py.

Then, look at the traffic so see the pattern: what query type
(typically ANY), what query domain name, etc. In the examples, we'll
assume QTYPE=ANY, QNAME=example.net.

Then, generate the Netfilter rule:

iptables -A INPUT -p udp --dport 53 -m u32 \
 --u32 $(python generate-netfilter-u32-dns-rule.py --qname example.net 
--qtype ANY) -j RATELIMITER

The RATELIMITER chain can be:

iptables -A RATELIMITER -m hashlimit \
   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

or you can replace -j RATELIMITER by -j DROP of you want to be
radical.

There are more options in the generate-netfilter-u32-dns-rule.py
script, such as --bufsize=NNN if the attacker uses a fixed EDNS buffer
size (some do).

There are several ways for the attacker to work around this technique
(some obvious and some not so obvious). But my point is that it works
*today*, with *actual* attacks. So, it definitely helps but keep your
eyes open, have alternative solutions in place and do not put all your
eggs in one basket

More details (only in French) at
http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html
and http://www.bortzmeyer.org/dns-netfilter-u32.html
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to Limit DNS Request per ip source ?

2013-01-14 Thread Beavis

Just put an ACL filter on your bind config for recursive queries. this
will make your dns less susceptible to flash-crowd type attacks. Cisco
has a short document about this.

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html

just check out the bind-centric info. discard the rest.


regards,
-B

On Mon, Jan 14, 2013 at 1:06 PM, Gaurav Kansal gaurav.kan...@nic.in wrote:
 Dear All,



 I want to limit the dns request per ip source through iptables.



 I tried the following commands, but unfortunately didn’t succeed.



 -A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -m state --state NEW -m
 recent --set --name DNSQF --rsource

 -A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -m state --state NEW -m
 recent --update --seconds 60 --hitcount 5 --name DNSQF --rsource -j DROP





 If anyone is using iptables for limiting DNS Query per IP, then pl. help me
 out.





 Thanks and Regards,

 Gaurav Kansal

 Mob – 9910118448



 Happy New Year 2013.

 IPv4 is Over,

 Are your ready for new Network.




 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



-- 
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Disclaimer:
http://goldmark.org/jeff/stupid-disclaimers/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How to Limit DNS Request per ip source ?

Re: How to Limit DNS Request per ip source ?

Re: How to Limit DNS Request per ip source ?

3 matches

Site Navigation

Mail list logo

Footer information