Sam Trenholme's webpage
Support this website

MaraDNS and DOS attacks


October 22 2013

This blog post is a small HOWTO showing how to stop MaraDNS from taking part in a distributed denial of service attack.

==The problem==

Earlier this year, there was a huge denial of service attack that used DNS packets.

The reason DNS was used is because it is fairly easy to use DNS to make a fairly small packet a really large packet to send to the victim. This is especially true when using a technology called EDNS which MaraDNS does not support.

==The solution==

When this attack was big news, I mentioned that I do not have time to implement rate limiting. However, CentOS 6 does support rate limiting at the firewall level. While some of the incantations on the Internet do not work in CentOS, the following iptables commands allow a given IP to only send MaraDNS/Deadwood 20 DNS queries every four seconds:

iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DDOS --rsource

iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 4 --hitcount 20 --name DDOS --rsource -j DROP

To verify they are applied:

iptables --list

To save these commands in CentOS so they are applied at system boot time:

iptables-save > /etc/sysconfig/iptables


These incantations work in CentOS 6 but may or may not work in other versions of Linux. I do not support non-CentOS Linux installs of MaraDNS.

To post a comment about this blog entry, go to the forum (self-signed https). New accounts may post once I approve the account.