Open DNS Resolver reflection attack Mitigation

• Previous message (by thread): Open DNS Resolver reflection attack Mitigation
• Next message (by thread): rate limiting (Re: Open DNS Resolver reflection attack Mitigation)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jun 8, 2012, at 1:11 PM, Stephane Bortzmeyer wrote:

> On Fri, Jun 08, 2012 at 12:56:23PM -0700,
> Owen DeLong <owen at delong.com> wrote 
> a message of 28 lines which said:
> 
>> IPv6 should be a simple matter of putting the same line in your
>> ip6tables file.
> 
> My experience with attack mitigation is that tools do not always work
> as advertised and sometimes do bad things (such as crashing the
> machine). So, I agree, it "should be a simple matter" but I prefer to
> test first.
> 
I'm using a much simpler:

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT

(v4 and v6 identical rules) and it seems to be working so far.

YMMV.

> [For instance, my IPv4 rule required a maximum of 2^28 buckets in
> memory while an IPv6 rule with --hashlimit-srcmask 64 would require a
> maximum of 2^64 buckets... What will be the effect on the system
> memory?]
> 

True, but, if you leave 28 in place, it will only require 2^28 buckets for
IPv6 as well. You might want to bump up the allowed qps since there
can be quite a few more hosts per /28, but, otherwise should still be
reasonably feasible.

Owen

• Previous message (by thread): Open DNS Resolver reflection attack Mitigation
• Next message (by thread): rate limiting (Re: Open DNS Resolver reflection attack Mitigation)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]