Stopping ddos

Michael De Roover isc at nixmagic.com
Tue Aug 2 21:16:15 UTC 2022 

For my servers I'm using iptables rules to achieve ratelimiting. They
look as follows:
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --
update --seconds 600 --hitcount 4 --name DEFAULT --mask 255.255.255.255
--rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set
--name DEFAULT --mask 255.255.255.255 --rsource

It should be fairly trivial to convert these to use UDP 53, and tweak
the timings you want. These rules are intended to allow 4 connections
(which normally should be entire SMTP transactions) every 10 minutes.
Since I have 2 edge nodes with these rules, that is doubled to 8
connections total. If you're an authoritative name server only,
realistically mostly recursors / caching servers would query your
servers and not too often. You can easily restrict traffic here. If
you're a recursor too, this becomes a bit more complicated.

Regarding the legitimate queries, it would be prudent to allow common
recursors (Google, Cloudflare, Quad9 etc) to have exceptions to this
rule. Just allow their IP addresses to send traffic either
unrestricted, or using a more relaxed version of the above.

HTH,
Michael

On Tue, 2022-08-02 at 16:02 -0400, Robert Moskowitz wrote:
> Recently I have been having problems with my server not responding to
> my 
> requests.  I thought it was all sorts of issues, but I finally looked
> at 
> the logs and:
> 
> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80
> 114.29.194.4#11205 
> (.): view external: query (cache) './A/IN' denied
> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 
> 114.29.216.196#64956 (.): view external: query (cache) './A/IN'
> denied
> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80
> 64.68.114.141#39466 
> (.): view external: query (cache) './A/IN' denied
> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 
> 209.197.198.45#13280 (.): view external: query (cache) './A/IN'
> denied
> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 
> 114.29.202.117#41955 (.): view external: query (cache) './A/IN'
> denied
> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80
> 62.109.204.22#4406 
> (.): view external: query (cache) './A/IN' denied
> Aug  2 15:47:49 onlo named[6155]: client @0xa9420720
> 64.68.104.9#38518 
> (.): view external: query (cache) './A/IN' denied
> Aug  2 15:47:50 onlo named[6155]: client @0xaa882dc8
> 114.29.202.117#9584 
> (.): view external: query (cache) './A/IN' denied
> 
> grep -c denied messages
> 45868
> 
> And that is just since Jul 31 3am.
> 
> This is fairly recent so I never looked into what I might do to
> protect 
> against this.  I am the master for my domain, so I do need to allow
> for 
> legitimate queries.
> 
> Any best practices on this?
> 
> I am running bind 9.11.4
> 
> thanks
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220802/dd348c56/attachment-0001.htm>

More information about the bind-users mailing list