Hmm I thought it is better you'll do the rate limiting on a lower layer. It's the same fix. you give the customer x queries in y time. But with RRL I think every query is counted. With iptables you can say, just count the ANY queries. So it's more specific
Freundliche GrĂ¼sse
sasag Kabelkommunikation AG Michael Richter Professional Bachelor ODEC in Engineering mrichter@sasag.ch 052 633 01 71
________________________________________ Von: Jeroen Massar [jeroen@massar.ch] Gesendet: Freitag, 24. Mai 2013 13:43 An: Michael Richter Cc: Benoit Panizzon; swinog@swinog.ch Betreff: Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
On 2013-05-24 12:52 , Michael Richter wrote: [..]
What can you do to limit this stupid traffic: - rate limit the queries per customer (not really a good idea) - rate limit this special kind of queries. (that's the best way at the moment)
I haven't had the time to look into the packets to limit this queries. If they are all similiar you can set up a drop filter in the iptables like you should already have with the isc.org ANY requests. -> Problem not really solved but you should be happy with this :-)
[..]
but what's the hex string for this kind of query. anybody got it?
You want to deploy RRL.
iptables is not the right location for doing this kind of stuff as you will have false positives.
Please see http://www.redbarn.org/dns/ratelimits
Greets, Jeroen