[153608] in North American Network Operators' Group
Re: Open DNS Resolver reflection attack Mitigation
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Jun 8 18:05:56 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20120608201127.GA24608@sources.org>
Date: Fri, 8 Jun 2012 15:03:31 -0700
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: North American Networking and Offtopic Gripes List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 8, 2012, at 1:11 PM, Stephane Bortzmeyer wrote:
> On Fri, Jun 08, 2012 at 12:56:23PM -0700,
> Owen DeLong <owen@delong.com> wrote=20
> a message of 28 lines which said:
>=20
>> IPv6 should be a simple matter of putting the same line in your
>> ip6tables file.
>=20
> My experience with attack mitigation is that tools do not always work
> as advertised and sometimes do bad things (such as crashing the
> machine). So, I agree, it "should be a simple matter" but I prefer to
> test first.
>=20
I'm using a much simpler:
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m =
limit --limit 30/minute --limit-burst 90 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m =
limit --limit 30/minute --limit-burst 90 -j ACCEPT
(v4 and v6 identical rules) and it seems to be working so far.
YMMV.
> [For instance, my IPv4 rule required a maximum of 2^28 buckets in
> memory while an IPv6 rule with --hashlimit-srcmask 64 would require a
> maximum of 2^64 buckets... What will be the effect on the system
> memory?]
>=20
True, but, if you leave 28 in place, it will only require 2^28 buckets =
for
IPv6 as well. You might want to bump up the allowed qps since there
can be quite a few more hosts per /28, but, otherwise should still be
reasonably feasible.
Owen
