Hi,
so we were used for a dns amplification attack. Some jackass thought
it would be a good idea to send us ~50k qps with the DO flag set and
type ANY. This would have resulted in ~750mbit/s outbound traffic.
For all you masochists out there, this is the iptables rule I came up with:
iptables -A INPUT -p udp -d $SERVER_IP --dport 53 -m u32 \
--u32 "0>>22&0x3C@12>>16=1" -m string --hex-string "|00 00 FF 00 01|" \
--algo bm -j excessive_dns
Figuring that I will never do that again I started writing a dns
ratelimiter/classifier/filter using divert-packet:
pass in on outside inet proto udp from any \
to <dnsservers> port 53 tag DNS-DIVERT
pass out tagged DNS-DIVERT divert-packet port 700
This works reasonably well (it's fast, too. I'm getting half the
packet rate with divert-packet compared to just passing the traffic),
however there is room for improvement. The filter sees the query _and_
the answer. It would be nice if pf would just pass the answer out, for
one thing it would be even faster.
Am I missing something obvious here, can I somehow tell pf that I only
want to divert the query? (Maybe it would work with no state, but
that's not what I want, because if it would work I would be trading a
context switch to userland for a rule evaluation for the answer.)
(yes, yes, you will see the code once it's done, it's currently
pre-demo. The main thing missing is a config parser. Benno I'm looking
in your direction :) )
Thanks,
Florian
--
I'm not entirely sure you are real.
