iptables and bind
Steven Stromer
filter at stevenstromer.com
Tue Aug 19 22:28:57 UTC 2008
I want to rate limit queries to mitigate threat of Polyakov-styled
attack, but I can't find anything on iptables rate limiting based on
bits, bytes, or Mb / time (as opposed to packets/time). I looked
through the standard iptables extensions, and through the patch-o-
matic offerings, and can't find the right tool. Assuming that the
size of any single UDP packet in a query can change, up to the limit
where it is refused in exchange for a tcp packet, I can't even see
how the correct packets/time could be accurately inferred. Any
recommendations?
(NOTE: Tried posting to netfilter list before posting here, but
haven't gotten a response, and want to address this ASAP, so any
expertise would be appreciated...)
Thanks!
Steven Stromer
On Aug 12, 2008, at 11:15 AM, Chris Buxton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Don't forget the Polyakov attack. Rate-limit your inbound traffic as
> per Paul Vixie's recommendation (no more than 10 Mbit/s of inbound DNS
> traffic), if necessary, using a firewall on your DNS server, or
> possibly using an external DNS server.
>
> Chris Buxton
> Professional Services
> Men & Mice
>
> On Aug 12, 2008, at 7:08 AM, Paul A wrote:
>
>> Thanks Kevin, didn't know if doing random with iptables was going to
>> make it
>> harder to guess instead of just using the new bind with port
>> randomization.
>>
>> So at this point I'm assuming that aside from using secure zones,
>> using the
>> new bind is all that can be done?
>>
>> paul
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iEYEARECAAYFAkihqREACgkQ0p/8Jp6Boi09uwCfem+soAjGYEy4abH2y6RxggMq
> XX0AoKSru0q+ESnrptnQU+ClwRMuFGQC
> =s6ZQ
> -----END PGP SIGNATURE-----
>
>
More information about the bind-users
mailing list