Last active
January 11, 2021 19:05
-
-
Save guerrerocarlos/5171614 to your computer and use it in GitHub Desktop.
Blocking all ANY queries in DNS server to prevent DDOS DNS amplification attack
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| iptables --flush | |
| iptables -A INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery | |
| iptables -A INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 1 -j DROP | |
| iptables -A INPUT -p udp --dport 53 -m u32 --u32 $(python generate-netfilter-u32-dns-rule.py --qname . --qtype ANY) -j DROP | |
| #iptables -A INPUT -p udp --dport 53 -m u32 --u32 $(python generate-netfilter-u32-dns-rule.py --qname isc.org --qtype ANY) -j DROP | |
| #iptables -A INPUT -p udp --dport 53 -m u32 --u32 $(python generate-netfilter-u32-dns-rule.py --qname isc.org. --qtype ANY) -j DROP | |
| iptables -A INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -j DROP | |
| #para bloquear ataque isc.org | |
| iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm running iptables v1.4.21 on CentOS Linux 7.5.1804 and the --from value needs to be 40 (54 - 14 (Ethernet header)). Like this here: https://www.centos.org/forums/viewtopic.php?t=62148
50 is beyond the offset of a ROOT (.) ANY only query and thus will not match.
UDP DNS queries begin at offset 40 (54 - 14 (Ethernet header length))
TCP DNS queries begin at offset 52 (66 - 14 (Ethernet header length))
Kernel: Linux 3.10.0-862.11.6.el7.centos.plus.1.x86_64