Hmm I thought it is better you'll do the rate limiting on a lower layer. It's the same fix. you give the customer x queries in y time. But with RRL I think every query is counted. With iptables you can say, just count the ANY queries. So it's more specific
Freundliche GrĂ¼sse
sasag Kabelkommunikation AG Michael Richter Professional Bachelor ODEC in Engineering mrichter@sasag.ch 052 633 01 71
________________________________________ Von: Jeroen Massar [jeroen@massar.ch] Gesendet: Freitag, 24. Mai 2013 13:43 An: Michael Richter Cc: Benoit Panizzon; swinog@swinog.ch Betreff: Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
On 2013-05-24 12:52 , Michael Richter wrote: [..]
What can you do to limit this stupid traffic: - rate limit the queries per customer (not really a good idea) - rate limit this special kind of queries. (that's the best way at the moment)
I haven't had the time to look into the packets to limit this queries. If they are all similiar you can set up a drop filter in the iptables like you should already have with the isc.org ANY requests. -> Problem not really solved but you should be happy with this :-)
[..]
but what's the hex string for this kind of query. anybody got it?
You want to deploy RRL.
iptables is not the right location for doing this kind of stuff as you will have false positives.
Please see http://www.redbarn.org/dns/ratelimits
Greets, Jeroen
On 2013-05-24 14:04 , Michael Richter wrote:
Hmm I thought it is better you'll do the rate limiting on a lower layer. It's the same fix. you give the customer x queries in y time.
It is FAR from the "same fix". RRL has knowledge of the query and the answer it would give.
Amongst others RRL suggests TCP fall back to the client, thus giving non-spoofed clients the possibility to query using TCP and get the query through anyway.
Of course when the rate limit is surpassed even with TCP it will be ratelimitted there too.
But with RRL I think every query is counted. With iptables you can say, just count the ANY queries.
The type of query does not matter for abusers, they are using standard A or DS, TXT and other such records too.
The rate that they come in at and the amount that you are replying to the spoofer does as then you are sending the junk to the spoofed source.
Greets, Jeroen