PF + ALT QUEUE for DDOS DNS attack

[Torsten Kersandt]

Hi
It is a common problem and can best be prevented configuring your DNS server
to limit recursion (lookup requests of non local or authoritive domains) to
the internal network and trusted Internet IP addresses only.
All other solutions you may just delay or limit normal dns server responses
Most DNS server software does that very simple and if it is a internal
machine doing this , block udp/tcp requests to port 53 from that address to
your server using pf until resolved.

Regards
Torsten

-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org] On
Behalf Of Kevin
Sent: 14 July 2009 23:56
To: freebsd-pf at freebsd.org
Subject: PF + ALT QUEUE for DDOS DNS attack

Greetings,


I am currently attempting to mitigate a DDoS attack on our network that is
comprised mainly of bogus DNS requests. The attacks seem to be coming in
waves of DNS queries on our internal systems.


I have tried several different ways of mitigating this, one of which is to
queue the DNS traffic via PF + ALTQ. I have attempted to limit the DNS
traffic to the particular host that is being attacked.


However, this doesn't seem to be very effective, as the nature of a DDoS
attack means that the queries being made are fairly simple and
straightforward.


I was hoping to get some tips / tricks from people who have encountered
similar scenarios. My firewall is (obviously) PF.


FreeBSD specific information :

FreeBSD fw 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #4: Tue Dec 16 13:00:03 EST
2008     fw at fw:/usr/obj/usr/src/sys/FW  i386


I'm looking for tips / tricks as far as what I can do on the firewall level,
of course. 


Any help is greatly appreciated! :)



~kevin



_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"