On 2020-11-17, mabi <m...@protonmail.ch> wrote: > Hello, > > On my DNS authoritative servers which are behind an OpenBSD 6.6 firewall I > just saw some weird UDP high volume traffic on port 53 my these DNS servers > coming from Google (e.g. 74.125.18.1 or 172.253.214.111). > > These few IPs generated around 5200 requests/second on my DNS servers so I > was wondering if one can also limit the rate of requests in PF on UDP traffic > such as can be done with TCP (using max-src-nodes, max-src-conn, etc)? > > Looking at the documentation (https://www.openbsd.org/faq/pf/filter.html) it > only mentions TCP. So I deduct that it is simply not possible to somehow > limit the rate of UDP connections with PF, am I right here? > > Regards, > Mabi > > > > > >
These packets are most likely sent from spoofed source addresses. Assuming this is the case, the address you are seeing on the packets would not be the attacker but the victim. PF doesn't support this type of request rate limiting on UDP connections. It's a bit dangerous to do so because in many cases it's trivial to spoof UDP packets and blocking packets from a source on the basis of this can result in you DoS'ing yourself. This isn't such a problem with TCP because only someone on the network path between you and the supposed source address (i.e. someone with access to the ACK packets) is likely to be able to successfully spoof packets. To mitigate this you might like to read the manual for your authoritative nameserver software about RRL (response rate limiting), many support it directly (including BIND and NSD), if not then you could front-end with something that can handle it itself like dnsdist. The DNS RRL techniques typically still reply to a proportion of queries (either directly with the answer, or with a "retry over TCP" response code) reducing impact if the source IP is *also* used by real queries as well as the attack traffic.
