On Thu, 3 Dec 2015, Bas van den Dikkenberg wrote:> We have a big ?problem ?all 3 of our dns servers are under Amplification attack > > As soon as we start nsd we send out 50 mbit to the internet. > > Any ideas how can stop this .I see you already tried rrl-ratelimit. You can do iptables based packet dropping too, although that might cause service interuptions to real clients as well. eg: iptables -I INPUT -d 188.127.201.225/32 -p udp -m udp --dport 53 -m hashlimit \ --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-mode srcip \ --hashlimit-name dnsany -m string --hex-string "|0000ff0001|" --algo bm \ --from 50 --to 65535 -j ACCEPT This would allow 1 ANY query per minute after initial burst of five. If your queries are not for ANY, you might have to tweak things a little. Paul
Bas van den Dikkenberg
2015-Dec-04 09:05 UTC
[nsd-users] Amplification attack how to stop it
I build a new deb package with 4.1.6 and this seem to resolve the isue -----Oorspronkelijk bericht----- Van: Paul Wouters [mailto:paul at nohats.ca] Verzonden: donderdag 3 december 2015 18:38 Aan: Bas van den Dikkenberg <bas at Dikkenberg.net> CC: 'nsd-users at NLnetLabs.nl' <nsd-users at NLnetLabs.nl> Onderwerp: Re: [nsd-users] Amplification attack how to stop it On Thu, 3 Dec 2015, Bas van den Dikkenberg wrote:> We have a big ?problem ?all 3 of our dns servers are under > Amplification attack > > As soon as we start nsd we send out 50 mbit to the internet. > > Any ideas how can stop this .I see you already tried rrl-ratelimit. You can do iptables based packet dropping too, although that might cause service interuptions to real clients as well. eg: iptables -I INPUT -d 188.127.201.225/32 -p udp -m udp --dport 53 -m hashlimit \ --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-mode srcip \ --hashlimit-name dnsany -m string --hex-string "|0000ff0001|" --algo bm \ --from 50 --to 65535 -j ACCEPT This would allow 1 ANY query per minute after initial burst of five. If your queries are not for ANY, you might have to tweak things a little. Paul