On 1/31/13 9:27 PM, Job Snijders wrote: > Hi Tony, > > On Jan 31, 2013, at 8:53 PM, Tony Finch <[email protected]> wrote: > >> Job Snijders <[email protected]> wrote: >>> >>> Please do share! :-) >> >> If you're being attacked it should be obvious. But the RRL patch is nearly >> as effective even if it isn't so lightweight. > > You claim: "There are a number of quite crude but effective remedies against > current amplification attacks". As the RRL patch was mentioned i assume we are referring to the authoritative side of things. Stephan bortzmeyer has written a few blog posts on how to do this in iptables[1][2] and a helper python script[3]. There is also another bind patch from lutz Donnerhacke describing an alternate way of dampening this traffic[4]
> In September 2012 one of our customers was targeted with a 120+ Gbit/sec > DNS amplification attack. I'm open to suggestions. If you are the target of these attacks you need to block things as close to the edge as possible. Depending on your network this could be difficult; however if all DNS traffic goes via a cache (big assumption i know) then i would recommend having rules like the following: cache=8.8.8.8 permit udp any 53 8.8.8.8 any deny any 53 any any i.e. only allow UDP traffic with a source port of 53 to go to your caching server. This would stop reflection traffic from going to anything but your caching server. I should warn that this rule is overly aggressive and could cause problems especially if you have services that do there own DNS. however if you are being attacked it is a good rule to ask your ISP to put in place. Regards John [1]http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html [2]http://www.bortzmeyer.org/dns-netfilter-u32.html [3]http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py [4]http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening
