Stopping ddos
Paul Kosinski
bind at iment.com
Wed Aug 3 23:53:15 UTC 2022
On Wed, 3 Aug 2022 13:47:41 +0200
Victor Johansson via bind-users <bind-users at lists.isc.org> wrote:
> Hey,
>
> I just want to add that there is a better way to do this in iptables
> with hashlimit. The normal rate limit in iptables is too crude.
>
> Below is an example from the rate-limit-chain, to which you simply send
> all port 53 traffic from the INPUT chain (make sure to exclude
> 127.0.0.1/127.0.0.53 though :) ).
>
>
> -A INPUT -p udp -m udp --dport 53 -j DNS-RATE-LIMIT
> -A INPUT -p tcp -m tcp --dport 53 -j DNS-RATE-LIMIT
>
> -A DNS-RATE-LIMIT -s 127.0.0.1/32 -m comment --comment "Dont rate-limit
> localhost" -j RETURN
> -A DNS-RATE-LIMIT -m hashlimit --hashlimit-upto 100/sec
> --hashlimit-burst 300 --hashlimit-mode srcip --hashlimit-name DNS-drop
> --hashlimit-htable-expire 2000 -j ALLOW
> -A DNS-RATE-LIMIT -m limit --limit 1/sec -j LOG --log-prefix "DNS-drop: "
> -A DNS-RATE-LIMIT -m comment --comment "ansible[dns rate limiting]" -j DROP
>
>
> //Victor
>
I was using iptables hashlimit for a while but stopped. It wasn't really solving my main problem, which was not so much "overloading" my BIND server as causing my log files to get filled with useless warnings about bad queries (or packets dropped).
It would be nice if BIND had way to record such error messages into a dumpable table with query, source IP and count.
More information about the bind-users
mailing list