Rate Limiting Against DDOS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Rate Limiting Against DDOS

Aladme

Morning Everyone!!

 

I’m trying to rate limit the number of queries per second allowed on my DNS recursor, using iptables.

I’m using a modified script who works perfectly, but I’m limited for one of the settings.

 

Here is the script.

 

:INPUT ACCEPT [548:41223]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [4439:1270057]

-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT

-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT

-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT

-A INPUT -p udp -m udp --dport 53 -m recent --set --name dnsanyquery --mask 255.255.255.255 --rsource -j LOG --log-prefix "IPTables-Dropped: "

-A INPUT -p udp -m udp --dport 53 -m recent --rcheck --seconds 1 --hitcount 20 --name dnsanyquery --mask 255.255.255.255 --rsource -j LOG

COMMIT

 

The next combination (--seconds 1 --hitcount 20) allow a max of 20 qps.

The fact is that the hitcount does not allow to use a number upper than 20. An I’m looking for some rules which allow me to rate limit over 200 or 300 qps.

And a cannot find it!!

 

As you can see, I’m only logging to a file these queries up to 20 per second, after that I’m using fail2band to block these logged queries. Someone knows a better way to block queries upper to 300 per second.

 

I’m losing a lot of time. Rate limiting to prevent DDos is killing my brain.   :-)

 

How do you rate limit your DNS servers?

 

Thanks in advance.

 

Alejandro.

 

 

 

 


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Rate Limiting Against DDOS

bert hubert-3
On Thu, Jan 14, 2016 at 08:45:29AM +0000, Alejandro Adroher Mellado wrote:
> Morning Everyone!!

GOOD MORNING!

> I’m trying to rate limit the number of queries per second allowed on my DNS recursor, using iptables.
> I’m using a modified script who works perfectly, but I’m limited for one of the settings.

Unless you are seeing hundreds of thousands of queries per second, dnsdist
might be a better choice for you, http://dnsdist.org/

It has a bunch of simple settings that probably do just what you want.

See for example:
https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting

But dnsdist offers way more than that to help you. You might for example
delay some answers, or strip the RD bit so your servers don't need to do any
work for certain subnets etc.

> How do you rate limit your DNS servers?

With dnsdist. Feel free to join us on the dnsdist mailinglist
(http://mailman.powerdns.com/mailman/listinfo/dnsdist ) and let's see if we
can make a nice config for you.

        Bert

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users