Re: Open DNS Resolver reflection attack Mitigation

[Owen DeLong <owen () delong com>]

On Jun 8, 2012, at 1:11 PM, Stephane Bortzmeyer wrote:

> On Fri, Jun 08, 2012 at 12:56:23PM -0700,
> Owen DeLong <owen () delong com> wrote 
> a message of 28 lines which said:
>
> > IPv6 should be a simple matter of putting the same line in your
> > ip6tables file.
>
> My experience with attack mitigation is that tools do not always work
> as advertised and sometimes do bad things (such as crashing the
> machine). So, I agree, it "should be a simple matter" but I prefer to
> test first.
I'm using a much simpler:

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j 
ACCEPT

(v4 and v6 identical rules) and it seems to be working so far.

YMMV.

> [For instance, my IPv4 rule required a maximum of 2^28 buckets in
> memory while an IPv6 rule with --hashlimit-srcmask 64 would require a
> maximum of 2^64 buckets... What will be the effect on the system
> memory?]

True, but, if you leave 28 in place, it will only require 2^28 buckets for
IPv6 as well. You might want to bump up the allowed qps since there
can be quite a few more hosts per /28, but, otherwise should still be
reasonably feasible.

Owen