Amplification iptables Rules

Hey,

it would be glad if we can implement this in future.
Simple but effective

let me know your thoughts.

Do i get you right: you aim to limit the rate of incoming udp packets on destination port 53? Isn’t dnsmasq using random ports for queries by default? Are you going to drop this feature for your feature? Ok, you can use the source port 53 … but is there a clear threshold, from which you can choose: this is a “attack” to my local pihole, or this is normal traffic. Is 5 pkt/sec. really a threat ?

2 Likes

This sounds like a more sophisticated approach. But, what is the use-case: a pihole directly exposted to the WAN or is there any reason to use this for pihole behind a well-configured router (firewall)?

For an exposed server that isn’t protected with a VPN. For internal NAT router or a firewall then you wouldn’t need the protection. It’s just to stop amplification attacks utilizing the UDP port 53. I guess you could have it internally on an untrusted network and have bad clients that were trying to stage attacks but that’s not a likely scenario.

my wife sometimes does DoS attacks to zalando, … so watch out: the enemy is everywhere.

2 Likes

:laughing:

Interesting post, but the last update on the blacklist domains was 5 years ago.
I wonder what’s the difference between these post and the freek’s one

Freek has a very good solution. Has been tested by multiple instances of Pi-hole and it works.

1 Like

Ok, i’m using the following rules:

##now for the sake add rate limit general (avoid flooding)
iptables -N udp-flood
iptables -A udp-flood -m limit --limit 4/second --limit-burst 4 -j RETURN
iptables -A udp-flood -j DROP
iptables -A INPUT -i eth0 -p udp -j udp-flood
iptables -A INPUT -i eth0 -f -j DROP

##these comes from freek’s blog post
iptables -A INPUT -p udp --dport 53 -m string --from 40 --algo bm --hex-string ‘|0000FF0001|’ -m recent --set --name dnsanyquery
iptables -A INPUT -p udp --dport 53 -m string --from 40 --algo bm --hex-string ‘|0000FF0001|’ -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 3 -j DROP
iptables -A INPUT -p tcp --dport 53 -m string --from 52 --algo bm --hex-string ‘|0000FF0001|’ -m recent --set --name dnsanyquery
iptables -A INPUT -p tcp --dport 53 -m string --from 52 --algo bm --hex-string ‘|0000FF0001|’ -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 3 -j DROP

Note that this will only protect you partially, you also need to add IPv6 rules (ip6tables).

I’ll implement this in the coming months

  • Could you please give your opinion on the added value of this security measure (both IPv4 and IPv6).
  • Could you please confirm the above rules are correct.

Thanks for your time and effort.