IPTables DDoS protection working with per client IP address counter AND UDP

Question

I am looking to protect LAMP server with a software, which will detect above average number of requests from single IP numbers (in this case DNS queries), and add these hosts to IPTables deny chain.

So in case my Bind / Centos DNS server will handle denial of service in form of stream of UDP packets from multiple host at once, there is 10GBps interface on this machine to handle large amounts of incoming packets, and the ip tables can handle many hosts.

Is there any tool / method to actually do it? I know there is LOG, should I use this, or there is some module which would be better fit for this?

Simply each IP number with excess rate of UDP queries above some no. of requests per second is added to the blacklisted file, and based on that file IPTables chain is generated.

So my question is, how to log excessive rates from particular hosts and log them, and make it high performance, assuming all IPv4 numbers would fit into RAM?

The main thing would be to count no of packets / sessions / opened connections during hour from a single host and blacklist them.

I am looking for example source code / IPTABLES rules for port 53 which would allow 1000 requests per hour from single IP address to DNS server with Bind.

Also to keep the whitelist of permitted hosts at the same time, so during attack I can blacklist everyone while the most used DNS servers are OK, this would work in case the attacked is spoofed and every request comes from different IP address which should be also detected.

I cant make anycast service at the moment, however I need some protection on DNS to avoid DDoS, which happens from time to time.

UPDATE: There is Cisco Guard product actually doing the same, but I want this on every Linux machine. It is because Linux can handle it, so this is only problem of good software to do it.

Answer 1

You can put a cap on number of request from an IP by using mod_security, as explained here:

https://secure.jwall.org/blog/2009/07/19/1248004300834.html

Having said that, this solution is far from perfect as, in case of application level DDoS attack it can lead to:

A.) Blockage of legal requests that come from the same IP range (i.e. trojan botnet)

B.) Success of a large multi-node attack in which each IP supplies only a small amount of request (under set threshold) and thus will not be blocked.

Also, this will do nothing at all against network DDoS (i.e. SYN Flood) that uses spoofed IPs as, in this case, you don't even need to establish a full 2-way connection for the DDoS to work.

More about IP spoofing and IP DDoS Protection

To stop this you`ll need to have some kind of front-gate reverse proxy in place, to prevent access until full 2-connection is established (ACK received).

Answer 2

Snort does actually control this very well, but there is a catch. With every attack you need to add the signature, so first you need to catch it, and then you can block it.

Simply the rule works the way that above some threshold, the host is reported via alert and based on this, the rule is created or the firewall blackliat updated.

Simply I have such a little workflow to actually handle it:

For example, this could be configured by one Xeon server, or a set of EC2 machines, so I can receive the DDoS for free, but the IPTables have to process it, so it's simply DDoS protection in the cloud for the DNS running on private space for security.

I am developing the DR scenario for the large long standing DDoS attack on the DNS servers, and I need for this a cloud server with DDoS protection for DNS, so I have configured Bind-SDB, and I can kill these from spoofed address no problem, even after increasing IPTables etc, the Bind at some point is crashing, and this can take days, so I need to filter out the traffic which goes above specific level, which includes really simple couter per each ip number in RAM, so this is not a rocket science if I have connection tracking already.