Re: Open DNS Resolver reflection attack Mitigation

[Stephane Bortzmeyer <bortzmeyer () nic fr>]

On Fri, Jun 08, 2012 at 03:09:04PM -0400,
 Joe Maimon <jmaimon () ttec com> wrote 
 a message of 7 lines which said:

> Is there any publicly available rate limiting for BIND?

Not as far as I know. I'm not sure it would be a good idea. BIND is
feature-rich enough.
 
> How about host-based IDS that can be used to trigger rtbh or iptables?

What I do (I manage a small and experimental open resolver) is to use
iptables this way (porting it to IPv6 is left as an exercice):

iptables -A INPUT -p udp --dport 53 -m hashlimit \
   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

So, every prefix (length 28) can send 20 r/s with allowed bursts of
100. This requires a Netfilter >= 1.4 (recent options of module
hashlimit).

Most iptables recipes that you find on the Web are not well suited to
DNS. They use connection tracking, for instance, while, with the DNS,
every request/response is a "connection".

I have a more complete article on this setup but in french only 
<http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html>.

> Google and Level3 manage to run open resolvers, why cant I?

You have less money :-)