Hi, so we were used for a dns amplification attack. Some jackass thought it would be a good idea to send us ~50k qps with the DO flag set and type ANY. This would have resulted in ~750mbit/s outbound traffic.
For all you masochists out there, this is the iptables rule I came up with: iptables -A INPUT -p udp -d $SERVER_IP --dport 53 -m u32 \ --u32 "0>>22&0x3C@12>>16=1" -m string --hex-string "|00 00 FF 00 01|" \ --algo bm -j excessive_dns Figuring that I will never do that again I started writing a dns ratelimiter/classifier/filter using divert-packet: pass in on outside inet proto udp from any \ to <dnsservers> port 53 tag DNS-DIVERT pass out tagged DNS-DIVERT divert-packet port 700 This works reasonably well (it's fast, too. I'm getting half the packet rate with divert-packet compared to just passing the traffic), however there is room for improvement. The filter sees the query _and_ the answer. It would be nice if pf would just pass the answer out, for one thing it would be even faster. Am I missing something obvious here, can I somehow tell pf that I only want to divert the query? (Maybe it would work with no state, but that's not what I want, because if it would work I would be trading a context switch to userland for a rule evaluation for the answer.) (yes, yes, you will see the code once it's done, it's currently pre-demo. The main thing missing is a config parser. Benno I'm looking in your direction :) ) Thanks, Florian -- I'm not entirely sure you are real.