Earlier this year, there was a huge denial of service attack that used DNS packets.
The reason DNS was used is because it is fairly easy to use DNS to make a fairly small packet a really large packet to send to the victim. This is especially true when using a technology called EDNS which MaraDNS does not support.
When this attack was big news, I mentioned that I do not have time to implement rate limiting. However, CentOS 6 does support rate limiting at the firewall level. While some of the incantations on the Internet do not work in CentOS, the following iptables commands allow a given IP to only send MaraDNS/Deadwood 20 DNS queries every four seconds:
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DDOS --rsource
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 4 --hitcount 20 --name DDOS --rsource -j DROP
To verify they are applied:
iptables --list
To save these commands in CentOS so they are applied at system boot time:
iptables-save > /etc/sysconfig/iptables
These incantations work in CentOS 6 but may or may not work in other versions of Linux. I do not support non-CentOS Linux installs of MaraDNS.
To post a comment about this blog entry, go to the forum (self-signed https). New accounts may post once I approve the account.