From: Martijn Lievaart <m@rtij.nl>
To: "Eduardo Fernández" <eduardo@cmusanjuan.com>
Cc: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: Re: How to block a DNS DoS attack?
Date: Sun, 03 Dec 2006 16:26:04 +0100 [thread overview]
Message-ID: <4572EC8C.7020600@rtij.nl> (raw)
In-Reply-To: <fedfc260612021256w7f94bb2eg3bb77e6bdd5c97d9@mail.gmail.com>
Eduardo Fernández wrote:
> Hi!
>
> Some computers in my network are flooding the dns server with mx
> queries generated by some virus, at a rate of 2/second or so. I can't
> use the string match as suggested before because of my kernel version.
> I can't forbid MX queries in the server because there could be valid
> queries, so the only way to match the virus is the speed or number of
> queries. I've tried the following to match only the virus but not the
> normal clients (people surfing the web mainly):
>
> iptables -A INPUT -p udp -d server_ip --dport 53 -m limit --limit
> 40/minute --limit-burst 2000 -j ACCEPT
>
> But it doesn't work. Any ideas?
I don't know why this doesn't work, but I would probably take a whole
different route. As you say you could have matched with the string
match, you can write a tcpdump capture expression for those packets.
Feed the output to a short script that extracts the IP address and adds
a rule to deny any traffic to that IP address. This has the added
advantage that it breaks functionality on the client, so people will
complain. This makes it easier to spot the infected machiens. And maybe
slow the rate of spreading, who knows.
If those addresses are assigned by DHCP, make sure to clear the blocks
occasionally. Any (still) infected machine will simply readd itself in
no time.
Obviously, you hav to make sure that you add an address only once. This
also means that adding and deleting IPAs should probably coordinated
with a lock, though you may get away without.
Something along these lines (untested):
# iptables -N VDROP
# iptables -I INPUT -j VDROP
# mkdir /var/state/sumtin
# tcpdump -n -i <intf> <filter> | sed -P
's/^.*(\d+\.\d+\.\d+\.\d+).*/\1/' | while read ip; do
> if [ ! -f /var/state/sumtin/$ip ]; then touch /var/state/sumtin/$ip;
iptables -A VDROP -s $ip; fi
> done
(The ipset match is better suited for this, but if you don't have
string, you probably don't have ipset.)
BTW, you probably get better results with the limit match if you use a
shorter time and a lower limit.
HTH,
M4
next prev parent reply other threads:[~2006-12-03 15:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-02 20:56 How to block a DNS DoS attack? Eduardo Fernández
2006-12-03 15:26 ` Martijn Lievaart [this message]
2006-12-03 21:34 ` Elvir Kuric
[not found] <200612041423.kB4EN2Xu000536@mail3.jubileegroup.co.uk>
2006-12-04 15:09 ` G.W. Haywood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4572EC8C.7020600@rtij.nl \
--to=m@rtij.nl \
--cc=eduardo@cmusanjuan.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox