Wednesday, May 22, 2013

How to Block DOS or limit traffic on DNS and Log the activity



Step1:
Add the below entry in syslog to log the iptables activity in to seperate file.

kern.*                                                 /var/log/firewall.log

Restart the syslog service.

Step2:
Limit the traffic in single second.

# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource

"If a new traffic from a source hits at destination port #53 This rule will log the source IP to the list called DNSQF"  Increase the hitcounter value in kernel
 chmod 600 /sys/module/xt_recent/parameters/ip_pkt_list_tot
 echo 200 > /sys/module/xt_recent/parameters/ip_pkt_list_tot
 chmod 400  /sys/module/xt_recent/parameters/ip_pkt_list_tot


Below rule logs and blocks the traffic hitting the threshold
# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount "30" --name DNSQF --rsource -j LOG
# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount "30" --name DNSQF --rsource -j DROP


" If a new traffic from a source hitting port 53 exceeds the number "30" in one second, it will be Logged and then Dropped."  
Step3:
 Limit the traffic in 5 Sec (Backup rule)

# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --set --name DNSHF --rsource

Hit counter is already set in above step so below command should work without any error


# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 5 --hitcount "150" --name DNSHF --rsource -j LOG
# iptables -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 5 --hitcount "150" --name DNSHF --rsource -j DROP

Any traffic hitting the rule will be logged to the file /var/log/firewall.log  or can use below command
#iptables -L -n -v