Differences

This shows you the differences between two versions of the page.

--- iptables:dns_query_limiting [2016/07/08 10:11] – peter
+++ iptables:dns_query_limiting [2019/11/29 17:29] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== IPTables - DNS query limiting ======
-Analysis of DNS queries coming in was able to determine an average of 5 requests per second per IP.
-This figure could be set as the limit for the firewall, however to prevent instances where a lot of valid requests come in a relatively short amount of time, it is better to not measure over a single second but an average over a longer period.  For example, as it's been determined that there is an average of 5 requests per second, then that would mean that over 10 seconds there would be an average of 50 requests.
-To tighten the security even more, the firewall is also set to allow a maximum of 15 requests per second per IP.
-<code bash>
-#!/bin/bash
-# This script limits the queries per second to 5/s
-# with a burst rate of 15/s and does not require
-# buffer space changes
-# Requests per second
-RQS="15"
-# Requests per 10 seconds
-RQH="50"
-iptables --flush
-iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource
-iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${RQS} --name DNSQF --rsource -j DROP
-iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSHF --rsource
-iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 7 --hitcount ${RQH} --name DNSHF --rsource -j DROP
-</code>
-===== Another method =====
-The first rule resets the count and the timer.
-The second rule ensures that excess packets are dropped.
-<code bash>
-iptables -I INPUT -p udp --dport 53 -i eth0 -m state --state NEW -m recent --set
-iptables -I INPUT -p udp --dport 53 -i eth0 -m state --state NEW -m recent --update --seconds 15 --hitcount 30 -j DROP
-</code>
-===== Using String Matching =====
-Firewall rules could be setup to protect against fake requests coming in.
-Use an application such as **tcpdump** or **wireshark** to look at the individual incoming packets of fake requests.  For example:
-<code bash>
-tcpdump -nvvxxi eth0 port 53
-</code>
-A snapshot of data coming in might show the following starting at offset 0x2C:
-<code>
-: 01: 52.966446 IP (tos 0x0, ttl 179, id 14613, offset 0, flags [none], proto UDP (17), length 64)
-.154.66.179.16996> 176.9.26.150.53: [no cksum] 7490+ [1au] ANY? isc.org. ar:. OPT UDPsize = 4096 OK (36)
-x0000: 6c62 6dbc bb87 28c0 DA46 34a4 0800 4500
-x0010: 0040 3915 0000 B311 08ab b89a 42b3 b009
-x0020: 1a96 4264 0035 002c 0000 1d42 0100 0001
-x0030: 0001 0000 0000 0369 7363 7267 036f 0000
-x0040: ff00 0100 0029 1000 0000 8000 0000
-</code>
-Here is the cut from the above data from that data having the actual domain which can be found starting at offset 0x36 and it is isc.org in this case.
-<code>
-0001
-x0030: 0001 0000 0000 0369 7363 7267 036f 0000
-x0040: ff00 0100 0029 1000 0000 8000 0000
-</code>
-Now lets ban that using string matching.
-The first rule drops requests for the root domain's name servers.
-The second rule drops the specific source domain (in this example isc.org).
-This removes the spaces, enclosed in two pipes and one has the right filter string.
-<code bash>
-iptables -t raw -I PREROUTING -p udp --destination-port 53 -m string --algo kmp --from 30 --hex-string  "|010000010000000000000000020001|"  -j DROP
-iptables -t raw -I PREROUTING -p udp --destination-port 53 -m string --algo kmp --from 30 --hex-string  "|0100000100000000000103697363036f72670000ff00010000291000000080000000|"  -j DROP
-</code>
-See http://forum.slicehost.com/comments.php?DiscussionID=2970