Open DNS Resolver reflection attack Mitigation

Owen DeLong owen at delong.com
Fri Jun 8 19:56:23 UTC 2012


On Jun 8, 2012, at 12:26 PM, Stephane Bortzmeyer wrote:

> On Fri, Jun 08, 2012 at 03:09:04PM -0400,
> Joe Maimon <jmaimon at ttec.com> wrote 
> a message of 7 lines which said:
> 
>> Is there any publicly available rate limiting for BIND?
> 
> Not as far as I know. I'm not sure it would be a good idea. BIND is
> feature-rich enough.
> 
>> How about host-based IDS that can be used to trigger rtbh or iptables?
> 
> What I do (I manage a small and experimental open resolver) is to use
> iptables this way (porting it to IPv6 is left as an exercice):
> 
> iptables -A INPUT -p udp --dport 53 -m hashlimit \
>   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
>   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
> 

IPv6 should be a simple matter of putting the same line in your ip6tables file.

Owen





More information about the NANOG mailing list