Discussion:
[Shorewall-users] How can i see the drops of rate limit rules?
Miguel Miranda
2016-10-07 15:22:27 UTC
Permalink
Hello to all, i have two questions:

1. I want to mitigate DDOS attacks to my dns servers, to implement this i
have configured rate limit as per docs:


ACCEPT net $FW udp 53 - -
s:powerdns:10/sec:100

I have verified that the rate limit is working by sending more than 100 qps
and i start to get errors with dns resolver, so i guess the limit is
working, however i would like to see in the logs the packets dropped so i
can revie who is attacking my server and if the limit is affecting valid
customers, if so i will rise the burst. if i try this

ACCEPT:info net $FW udp 53 -
- s:powerdns:10/sec:100


I see all the traffic, i just want to see the abnormal dropped traffic.

2. Are this 2 rules equivalent, the second one using the DDOS action
created by Tom:


DNSDDOS net $FW udp 53 - -
s:powerdns:10/sec:100

Regards
Tom Eastep
2016-10-07 16:19:52 UTC
Permalink
Post by Miguel Miranda
1. I want to mitigate DDOS attacks to my dns servers, to implement
ACCEPT net $FW udp 53 -
- s:powerdns:10/sec:100
I have verified that the rate limit is working by sending more than
100 qps and i start to get errors with dns resolver, so i guess the
limit is working, however i would like to see in the logs the
packets dropped so i can revie who is attacking my server and if
the limit is affecting valid customers, if so i will rise the
burst. if i try this
ACCEPT:info net $FW udp 53
- - s:powerdns:10/sec:100
I see all the traffic, i just want to see the abnormal dropped
traffic.
Simply add

DROP:info net $FW udp 53

After your rate-limited ACCEPT rule.
Post by Miguel Miranda
2. Are this 2 rules equivalent, the second one using the DDOS
DNSDDOS net $FW udp 53 -
- s:powerdns:10/sec:100
This rule will drop DDOS packets that are within the rate; the first
rule above will not.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Miguel Miranda
2016-10-07 16:57:42 UTC
Permalink
Thanks Tom, so the when the number of connections allowed is reached,
iptables just bypass the rule and then it falls in the defaul policy which
i am not loggin it, so by adding the DROP rule it catch the bypassed packet
and loggit?
If i undestand correctly, i just need the DNSDDOS and DROP rules? It will
drop ddos packets and additional will apply the limit.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Miguel Miranda
1. I want to mitigate DDOS attacks to my dns servers, to implement
ACCEPT net $FW udp 53 -
- s:powerdns:10/sec:100
I have verified that the rate limit is working by sending more than
100 qps and i start to get errors with dns resolver, so i guess the
limit is working, however i would like to see in the logs the
packets dropped so i can revie who is attacking my server and if
the limit is affecting valid customers, if so i will rise the
burst. if i try this
ACCEPT:info net $FW udp 53
- - s:powerdns:10/sec:100
I see all the traffic, i just want to see the abnormal dropped traffic.
Simply add
DROP:info net $FW udp 53
After your rate-limited ACCEPT rule.
Post by Miguel Miranda
2. Are this 2 rules equivalent, the second one using the DDOS
DNSDDOS net $FW udp 53 -
- s:powerdns:10/sec:100
This rule will drop DDOS packets that are within the rate; the first
rule above will not.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJX98soAAoJEJbms/JCOk0QUGoP/3NsAVQtl9oKws+mXnG8NMuo
qr+kQ/ZpC6jwlFP5RxVfGLnSne1Yp8m8UDtqcRV/d+CNz+eD7EzE/rgfTaWYmA9S
p/CwKwlTqlXSOIcaNoyTIPP63SIbC8UaCMjU6VcrmY+ApCBabMUbQRtqnujZ2yiR
l9PCRb9zKAM+u51HN+LiYR6X5UmyFlv/b2r3Iz7ehWuGPpmd9oKLq+Uj7QWc9gyH
8cXU3f6hSirIxyamthkVY2ktR8wUyKf+EU12Fd4lr3CtfebUWCvOqi0Gj6KwVka9
lxeyeY+5ARtheIfhgDtmS96VAUDtrAiaenLFVPB+9nryPDPAWNU/7hiacH7uTiOt
h9R2qpIstfrp2VHd8bjWLr5drNhDWUg08AiqBk4IJPafqpBBqAuCvbsAhvTM0WIy
rK2HEwUyUy2OAZFsxRM/MzG5qkXGlGDRWDsOBXnJUKmh1pnep7HlU9tfyfX0GOeS
EvP1V8twUvxdjFEiwoU1p2WV+Ec1hJ1MeQLAKh60yR0eev6Vv4Go1nFLvTwwdXvt
GQVQkmSsqVDAAA5/PKZcOtXuzsSTeaSzAXVlRDc1qrNEYpKVBXOSN0Xop1IovGTq
AXNNqZTdW1qYoBNTyGni3bivJZuRMKViGV5+weAQxIKtF2NeTTEHupVQ2oBI/4wO
AXgrjMzl91O8hNHz85hq
=AJaU
-----END PGP SIGNATURE-----
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2016-10-07 17:02:59 UTC
Permalink
Post by Miguel Miranda
Thanks Tom, so the when the number of connections allowed is
reached, iptables just bypass the rule and then it falls in the
defaul policy which i am not loggin it, so by adding the DROP rule
it catch the bypassed packet and loggit?
Yes.
Post by Miguel Miranda
If i undestand correctly, i just need the DNSDDOS and DROP rules?
It will drop ddos packets and additional will apply the limit.
Yes.

- -Tom

- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Miguel Miranda
2016-10-07 20:52:43 UTC
Permalink
Sweet, thanks .
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Miguel Miranda
Thanks Tom, so the when the number of connections allowed is
reached, iptables just bypass the rule and then it falls in the
defaul policy which i am not loggin it, so by adding the DROP rule
it catch the bypassed packet and loggit?
Yes.
Post by Miguel Miranda
If i undestand correctly, i just need the DNSDDOS and DROP rules?
It will drop ddos packets and additional will apply the limit.
Yes.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJX99VDAAoJEJbms/JCOk0Q7OIP/34R92sFteUB/R9FVaNOrXmN
lO6ge6RS/3f5ugXhRBFHGvyhoDfpyHMl6JGvZYzYuQHyfhKeAA5FeBD6ueZS6YRD
DLrHbY8pXkD3d5Tyt+MbQ7M5JORr5+0/RCwh7R4bQwnUYXhzu8qbDMhCDPNxLX1U
/4FUtZ2COmpCgUHN2QXl/9qdBpea03EpmiMVP9L7IuLqmIpuXnSpv+zp9HcTPpce
24FQBj0vfDJzDlCWc95wvd9zx+4zNbBG+si2EwX2eqTD0gU2yfpRCGG4K7kcqFVm
4KRH0kGODWyLzkQhi6bwBLoq4ZJE8DkAzJkOC5go9KJRO35CDRKpWciUjVEi8kSN
fVXJk54H22byODu9eWsIfy0IFVMYi/DJHEsjx81Qftt5sNFrTF46GYh4O/MqJOOV
CilyBVp1WgCHrzJw1JZ398mz2bayqqQwxoXOejIjVyYK8Q/P0p6fsA14fWBruZDl
J2CvrQsCIjVQOGZabmFm4Fmq4vKejXf6lQ6hkeheqA+n9CEVeH5dT23ZU7eGykVL
+xRPyqVWgrzeXpOkZZYIHCOf/yzeGyp2GTYqhEEMHQM04JII1q8hrj4uvbJWqagx
D4LjGZa3+8rszFTVpuCsl74daaACAxfBnx6srAH5IOnyeeSE8jO932RuKGrk3UI3
n9DPpItuz6gXpPziJPz3
=hrL7
-----END PGP SIGNATURE-----
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Loading...