I'm trying to deal with the following problem:
* My BIND 9.9.1-P1 DNS server is being hammered with a
reflection/amplification DDoS attack where a small
(67 bytes) query is causing a large (2577 bytes)
answer to be sent to the query's forged source address.
* I've applied the rate-limit patch from here:
http://www.redbarn.org/dns/ratelimits
and it works well until the query load get to be about
11,000/second and then general packet loss starts to occur.
* After identifying the egregious source addresses with dnstop(1),
the Shorewall blacklist feature helps very much. While I only
need to block ten or fewer addresses at a time, this solution
does not scale because the spoofed addresses are always changing.
I ran across the following article:
http://forum.slicehost.com/index.php?p=/discussion/2970/dns-multiplication-ddos-underway/p1
and in my particular case, it would be ideal if I could insert the following
rule into my Shorewall configuration:
iptables -t raw -I PREROUTING -p udp --destination-port 53 -m string \
--algo kmp --from <offset> --hex-string "|<some hex data>|" -j DROP
I'm using Debian stable and so the version of Shorewall is 4.4.11
and have read the following documentation:
http://www.shorewall.net/Actions.html#Extension
http://www.shorewall.net/shorewall_extension_scripts.htm
http://www.shorewall.net/ManualChains.html
So my question is:
It seems possible to add custom iptables rules in Shorewall but
I would like to add a rule before connection tracking takes place,
i.e., the rule should go in the PREROUTING chain of the "raw" table.
Can this be done within the Shorewall framework?
If so, then could someone indulge me with the high-level steps that
are needed to achieve this?
Thanks,
Andris
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
