Open DNS Resolver reflection attack Mitigation
Owen DeLong
owen at delong.com
Fri Jun 8 19:56:23 UTC 2012
On Jun 8, 2012, at 12:26 PM, Stephane Bortzmeyer wrote:
> On Fri, Jun 08, 2012 at 03:09:04PM -0400,
> Joe Maimon <jmaimon at ttec.com> wrote
> a message of 7 lines which said:
>
>> Is there any publicly available rate limiting for BIND?
>
> Not as far as I know. I'm not sure it would be a good idea. BIND is
> feature-rich enough.
>
>> How about host-based IDS that can be used to trigger rtbh or iptables?
>
> What I do (I manage a small and experimental open resolver) is to use
> iptables this way (porting it to IPv6 is left as an exercice):
>
> iptables -A INPUT -p udp --dport 53 -m hashlimit \
> --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
> --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
>
IPv6 should be a simple matter of putting the same line in your ip6tables file.
Owen
More information about the NANOG
mailing list