[153572] in North American Network Operators' Group
Re: Open DNS Resolver reflection attack Mitigation
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Jun 8 16:01:52 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20120608192605.GA19427@sources.org>
Date: Fri, 8 Jun 2012 12:56:23 -0700
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: North American Networking and Offtopic Gripes List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 8, 2012, at 12:26 PM, Stephane Bortzmeyer wrote:
> On Fri, Jun 08, 2012 at 03:09:04PM -0400,
> Joe Maimon <jmaimon@ttec.com> wrote=20
> a message of 7 lines which said:
>=20
>> Is there any publicly available rate limiting for BIND?
>=20
> Not as far as I know. I'm not sure it would be a good idea. BIND is
> feature-rich enough.
>=20
>> How about host-based IDS that can be used to trigger rtbh or =
iptables?
>=20
> What I do (I manage a small and experimental open resolver) is to use
> iptables this way (porting it to IPv6 is left as an exercice):
>=20
> iptables -A INPUT -p udp --dport 53 -m hashlimit \
> --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode =
srcip \
> --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
>=20
IPv6 should be a simple matter of putting the same line in your =
ip6tables file.
Owen
