Open DNS Resolver reflection attack Mitigation

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Jun 8 14:26:05 CDT 2012


On Fri, Jun 08, 2012 at 03:09:04PM -0400,
 Joe Maimon <jmaimon at ttec.com> wrote 
 a message of 7 lines which said:

> Is there any publicly available rate limiting for BIND?

Not as far as I know. I'm not sure it would be a good idea. BIND is
feature-rich enough.
 
> How about host-based IDS that can be used to trigger rtbh or iptables?

What I do (I manage a small and experimental open resolver) is to use
iptables this way (porting it to IPv6 is left as an exercice):

iptables -A INPUT -p udp --dport 53 -m hashlimit \
   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

So, every prefix (length 28) can send 20 r/s with allowed bursts of
100. This requires a Netfilter >= 1.4 (recent options of module
hashlimit).

Most iptables recipes that you find on the Web are not well suited to
DNS. They use connection tracking, for instance, while, with the DNS,
every request/response is a "connection".

I have a more complete article on this setup but in french only 
<http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html>.

> Google and Level3 manage to run open resolvers, why cant I?

You have less money :-)



More information about the NANOG mailing list