nanog mailing list archives
Re: Open DNS Resolver reflection attack Mitigation
From: Owen DeLong <owen () delong com>
Date: Fri, 8 Jun 2012 12:56:23 -0700
On Jun 8, 2012, at 12:26 PM, Stephane Bortzmeyer wrote:
On Fri, Jun 08, 2012 at 03:09:04PM -0400, Joe Maimon <jmaimon () ttec com> wrote a message of 7 lines which said:Is there any publicly available rate limiting for BIND?Not as far as I know. I'm not sure it would be a good idea. BIND is feature-rich enough.How about host-based IDS that can be used to trigger rtbh or iptables?What I do (I manage a small and experimental open resolver) is to use iptables this way (porting it to IPv6 is left as an exercice): iptables -A INPUT -p udp --dport 53 -m hashlimit \ --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \ --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
IPv6 should be a simple matter of putting the same line in your ip6tables file. Owen
Current thread:
- Open DNS Resolver reflection attack Mitigation Joe Maimon (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Dobbins, Roland (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Joe Maimon (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Stephane Bortzmeyer (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Joe Maimon (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Owen DeLong (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Stephane Bortzmeyer (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Owen DeLong (Jun 08)
- Re: Open DNS Resolver reflection attack Mitigation Dobbins, Roland (Jun 08)
- rate limiting (Re: Open DNS Resolver reflection attack Mitigation) Paul Vixie (Jun 10)