Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Jul 2009 00:46:22 +0100
From:      "Torsten Kersandt" <torsten@cnc-london.net>
To:        <freebsd-pf@freebsd.org>
Subject:   RE: PF + ALT  QUEUE for DDOS DNS attack
Message-ID:  <001501ca04dd$4d6ec8f0$e84c5ad0$@net>
In-Reply-To: <00a001ca04d6$37a122e0$a6e368a0$@com>
References:  <00a001ca04d6$37a122e0$a6e368a0$@com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi
It is a common problem and can best be prevented configuring your DNS server
to limit recursion (lookup requests of non local or authoritive domains) to
the internal network and trusted Internet IP addresses only.
All other solutions you may just delay or limit normal dns server responses
Most DNS server software does that very simple and if it is a internal
machine doing this , block udp/tcp requests to port 53 from that address to
your server using pf until resolved.

Regards
Torsten

-----Original Message-----
From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On
Behalf Of Kevin
Sent: 14 July 2009 23:56
To: freebsd-pf@freebsd.org
Subject: PF + ALT QUEUE for DDOS DNS attack

Greetings,


I am currently attempting to mitigate a DDoS attack on our network that is
comprised mainly of bogus DNS requests. The attacks seem to be coming in
waves of DNS queries on our internal systems.


I have tried several different ways of mitigating this, one of which is to
queue the DNS traffic via PF + ALTQ. I have attempted to limit the DNS
traffic to the particular host that is being attacked.


However, this doesn't seem to be very effective, as the nature of a DDoS
attack means that the queries being made are fairly simple and
straightforward.


I was hoping to get some tips / tricks from people who have encountered
similar scenarios. My firewall is (obviously) PF.


FreeBSD specific information :

FreeBSD fw 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #4: Tue Dec 16 13:00:03 EST
2008     fw@fw:/usr/obj/usr/src/sys/FW  i386


I'm looking for tips / tricks as far as what I can do on the firewall level,
of course. 


Any help is greatly appreciated! :)



~kevin



_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001501ca04dd$4d6ec8f0$e84c5ad0$>