[prev in list] [next in list] [prev in thread] [next in thread]
List: djbdns
Subject: Re: any rate-limiting patch for tinydns?
From: richard lucassen <mailinglists () lucassen ! org>
Date: 2013-03-30 19:26:27
Message-ID: 20130330202627.6384f06e302579126e55f71f () lucassen ! org
[Download RAW message or body]
On Sat, 30 Mar 2013 22:05:02 +1300
Jason Haar wrote:
> Given the DDoS that is whacking the inter-tubes at the moment, is
> there a rate-shaping patch for tinydns (I guess dnscache too - but
> I'm sure most of us don't have that sitting open on the Internet)
I run this iptables rule to limit ANY queries to 3:
# limit the queries to ANY (255) records:
${I_INP_NEW} -p udp --dport 53 -m string --algo bm --from 41 \
--hex-string "|0000ff0001|" -m recent --update \
--seconds 300 --hitcount 3 --name any_query -j DROP
${I_INP_NEW} -p udp -m udp --dport 53 -m string --algo bm --from 41 \
--hex-string "|0000ff0001|" -m recent \
--set --name any_query -j ACCEPT
I_INP_NEW="/usr/sbin/iptables -A INPUT -m state --state NEW"
Don't know if you mean this type of annoyance.
HTH,
R.
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://contact.xaq.nl/ |
+------------------------------------------------------------------+
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic