Stopping ddos

[Peter]

On Tue, Aug 02, 2022 at 11:16:15PM +0200, Michael De Roover wrote:
! For my servers I'm using iptables rules to achieve ratelimiting. They
! look as follows:
! -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --
! update --seconds 600 --hitcount 4 --name DEFAULT --mask 255.255.255.255
! --rsource -j DROP
! -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set
! --name DEFAULT --mask 255.255.255.255 --rsource
! 
! It should be fairly trivial to convert these to use UDP 53, and tweak
! the timings you want. These rules are intended to allow 4 connections
! (which normally should be entire SMTP transactions) every 10 minutes.
! Since I have 2 edge nodes with these rules, that is doubled to 8
! connections total. If you're an authoritative name server only,
! realistically mostly recursors / caching servers would query your
! servers and not too often. You can easily restrict traffic here. If
! you're a recursor too, this becomes a bit more complicated.

Just to give a Heads Up:

I have a very similar config in IPFW protecting port 53 with a rate
limit. I had put that in because the option was there and I thought
it a good idea, and then entirely forgotten about it.

I was then very surprized when I couldn't renew my certificates due
to creepy and non-reproducible failures. A CA cen send quite an amount
of queries when validating a site, and may have tough timeouts.
I recommend testing such a rate-limit against DNSviz.net which also
sends a high amount of queries.

(My actual fault was to forget about the limit, otherwise one could
just remove it temporarily during such actions.)

-- PMc