[nsd-users] Amplification attack how to stop it
Paul Wouters
paul at nohats.ca
Thu Dec 3 17:37:55 UTC 2015
On Thu, 3 Dec 2015, Bas van den Dikkenberg wrote:
> We have a big problem all 3 of our dns servers are under Amplification attack
>
> As soon as we start nsd we send out 50 mbit to the internet.
>
> Any ideas how can stop this .
I see you already tried rrl-ratelimit. You can do iptables based packet
dropping too, although that might cause service interuptions to real
clients as well.
eg:
iptables -I INPUT -d 188.127.201.225/32 -p udp -m udp --dport 53 -m hashlimit \
--hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-mode srcip \
--hashlimit-name dnsany -m string --hex-string "|0000ff0001|" --algo bm \
--from 50 --to 65535 -j ACCEPT
This would allow 1 ANY query per minute after initial burst of five.
If your queries are not for ANY, you might have to tweak things a
little.
Paul
More information about the nsd-users
mailing list