On 06/23/2012 12:03 AM, Andris Kalnozols wrote: > I'm trying to deal with the following problem: > > * My BIND 9.9.1-P1 DNS server is being hammered with a > reflection/amplification DDoS attack where a small > (67 bytes) query is causing a large (2577 bytes) > answer to be sent to the query's forged source address. > > * I've applied the rate-limit patch from here: > > http://www.redbarn.org/dns/ratelimits > > and it works well until the query load get to be about > 11,000/second and then general packet loss starts to occur. > > * After identifying the egregious source addresses with dnstop(1), > the Shorewall blacklist feature helps very much. While I only > need to block ten or fewer addresses at a time, this solution > does not scale because the spoofed addresses are always changing. > > I ran across the following article: >> http://forum.slicehost.com/index.php?p=/discussion/2970/dns-multiplication-ddos-underway/p1 > > and in my particular case, it would be ideal if I could insert the following > rule into my Shorewall configuration: > > iptables -t raw -I PREROUTING -p udp --destination-port 53 -m string \ > --algo kmp --from <offset> --hex-string "|<some hex data>|" -j DROP > > I'm using Debian stable and so the version of Shorewall is 4.4.11 > and have read the following documentation: > > http://www.shorewall.net/Actions.html#Extension > http://www.shorewall.net/shorewall_extension_scripts.htm > http://www.shorewall.net/ManualChains.html > > So my question is: > > It seems possible to add custom iptables rules in Shorewall but > I would like to add a rule before connection tracking takes place, > i.e., the rule should go in the PREROUTING chain of the "raw" table. > Can this be done within the Shorewall framework? > > If so, then could someone indulge me with the high-level steps that > are needed to achieve this?
Simply put the above iptables command in /etc/shorewall/start. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
