Revision [2972]

This is an old revision of Tier2Security made by JeffTaylor on 2013-02-16 14:11:23.

 

Tier-2 Security Measures


Protecting Against Attacks


Tier-2 operators may frequently find themselves being used as a point of attack. The information below has been developed to mitigate these attacks.

Iptables Rules
The following iptables rules should be added where appropriate to your setup. When in doubt, add them to the beginning of the INPUT table, before adding your other firewall rules.

To protect against floods from queries for isc.org:
-p udp -m string --hex-string "|00000000000103697363036f726700|" --algo bm --to 65535 --dport 53 -j DROP

To protect against floods from queries for ripe.net:
-p udp -m string --hex-string "|0000000000010472697065036e6574|" --algo bm --to 65535 --dport 53 -j DROP

To limit ANY queries per IP address, use these two lines:
-p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
-p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 4 -j DROP

These rules will throttle a connection to 30 queries per minute, allowing for burst traffic of 10 queries (more information can be found at IPTablesRulesToBlockDDOSTraffic):
-p udp -m hashlimit --hashlimit-srcmask 24 --hashlimit-mode srcip --hashlimit-upto 30/m --hashlimit-burst 10 --hashlimit-name DNSTHROTTLE --dport 53 -j ACCEPT
-p udp -m udp --dport 53 -j DROP

Support Scripts
There is a perl script available which can be run from a dedicated firewall or directly on the DNS server. This script monitors your connection and attempts to find some of the older flood methods, then add iptables rules to block the offending IP addresses for a short period. The code can be found at ddosDotPl. Please read the comments for information about setting up this script.
There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki