[nsd-users] Amplification attack how to stop it
Bas van den Dikkenberg
bas at Dikkenberg.net
Fri Dec 4 09:05:14 UTC 2015
I build a new deb package with 4.1.6 and this seem to resolve the isue
-----Oorspronkelijk bericht-----
Van: Paul Wouters [mailto:paul at nohats.ca]
Verzonden: donderdag 3 december 2015 18:38
Aan: Bas van den Dikkenberg <bas at Dikkenberg.net>
CC: 'nsd-users at NLnetLabs.nl' <nsd-users at NLnetLabs.nl>
Onderwerp: Re: [nsd-users] Amplification attack how to stop it
On Thu, 3 Dec 2015, Bas van den Dikkenberg wrote:
> We have a big problem all 3 of our dns servers are under
> Amplification attack
>
> As soon as we start nsd we send out 50 mbit to the internet.
>
> Any ideas how can stop this .
I see you already tried rrl-ratelimit. You can do iptables based packet dropping too, although that might cause service interuptions to real clients as well.
eg:
iptables -I INPUT -d 188.127.201.225/32 -p udp -m udp --dport 53 -m hashlimit \ --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-mode srcip \ --hashlimit-name dnsany -m string --hex-string "|0000ff0001|" --algo bm \ --from 50 --to 65535 -j ACCEPT
This would allow 1 ANY query per minute after initial burst of five.
If your queries are not for ANY, you might have to tweak things a little.
Paul
More information about the nsd-users
mailing list