For a couple of days me and the family have noticed weird slowness when accessing the Internet and the various media platforms we use (Netflix, Youtube, etc) but paid it no mind given that it happened at weird hours (though it was the ISP doing some works or having issues).
Today, this evening, I was trying to do some stuff on my laptop and it happened again only this time I started digging a bit and to my surprise I noticed my DNS service was under DDOS with queries for various domains that have no relation with me whatsoever.
Given my particular setup (ISP router doing NAT and port forwarding for nginx in front of DNS service) I had to get creative and this is what I came up with:
attempt1: rate limiting queries to my DNS server to something acceptable
iptables -A INPUT -p udp -m udp –dport 53 -m limit –limit 6/min -j DROP
After applying the rule it noticed it was dropping part of the traffic and things started working a little bit better however that did not feel like it made enough difference so I explored filtering using fail2ban and rate limiting using nginx.
Problem with fail2ban was that I would need to create rules to catch hits to the target domain and that would not really work given that whoever started the DDOS could have simply changed the target domain to something else.
Problem with nginx was that it does not do the kind of rate limiting / filtering I need – for DNS one needs to use the stream module with has a rate limiting feature but that’s relative to bandwith not to number of queries from the same ip in a set amount of time.
Then it hit me …
attempt2: I could block all DNS queries that hit my servers except for the ones for domains I actually have setup on them …
iptables -A INPUT -p udp -m udp –dport 53 -m string –string “seceleanu” –algo bm –to 65535 -j ACCEPT
iptables -A INPUT -p udp -m udp –dport 53 -j DROP
This actually did it for me … the DDOS is still there (confirmed with tcpdump) so it’s still eating a bit of bandwidth but I am able to use the Internet as if it’s not. It’s true that if the attacker decides to scale things up a bit they could saturate the connection but that would be quite expensive on their part and given that I’m really not a valuable target I doubt they will.
There you have it … a pretty simple solution for a nasty problem …
Enjoy!