DNS recursive attacks, DoS and DDoS : iptables -m recent is your friend

Got plenty of query (cache) 'isc.org/ANY/IN' denied in your bind9 logs? Like about 1 query per second from several IPs? Want to tell them to get lost? This entry may interest you then.

No extensive writing needed here, there is the essential:

$IPT -A INPUT -i $MAIN_IF -p udp --dport 53 -m recent --set

$IPT -A INPUT -i $MAIN_IF -p udp –dport 53 -m recent –update –seconds 30 –hitcount 10 -j DROP

$IPT -A INPUT -p udp –dport 53 -j ACCEPT

I put these rules before other INPUT rules, and restarted my firewall.

Now DNS access on my public IP is limited to 10 separate queries within a 30 seconds timeframe. It seems acceptable for the moment, and DNS fsckers generally get dropped within the first 15 seconds, which is correct for me. But feel free to experiment different values according to your needs.

I hope this will help :)