DNS port flooding

We've had some problems with DNS requests flooding our network. I've implemented some very basic ACLs to block the offending IPs as they hit us. I've blocked 6 or 8 IPs now and am looking for a better long term solution. I'm not a Cisco guru by any stretch of the imagination.

I've simply blocked IPs using the following method;

access-list 11 deny xxx.xxx.xxx.xxx 0.0.0.0 access-list 11 permit any

I then applied this access group to eth0 out. It makes more sense to me to apply this to serial0 but it had no effect either "in" or "out".

What I'd like to accomplish (in plain english);

#1 Only allow DNS requests to actual DNS servers. #2 Block some hosts from accessing port 53 at all. #3 Only allow X requests per time interval PER HOST to port 53

Can this be done? Any pointers?

Thanks!

Scott

Reply to
Scott
Loading thread data ...

Sounds like a question of the CCIE R&S lab; for starters if you have a switched enviroment you could do something like: interface FastEthernet0/1 switchport access vlan 160 storm-control broadcast level 25.00 storm-control action shutdown spanning-tree portfast

Reply to
the_jonesboys_posse

To deny a specific host from DHCP:

access-list 101 deny udp host 1.1.1.1 eq domain host 2.2.2.2 log access-list 101 permit ip any any

where 1.1.1.1 is the host and 2.2.2.2 is the DHCP server; this ACL would be placed on the ingress of your Ethernet interface.

interface F0/0 ip access-group 101 in

Reply to
the_jonesboys_posse

As a general rule you should create the acl based on what you want to 'allow' and let everything else get trapped by the explicit deny at the end .. there are exceptions to this of course.

In your case this single line takes care of the first two requirements:

permit udp any host eq 53

I thought CBAC could control the rate of new connections but I only see 'half-open' limits:

formatting link
I'm tired and don't want to look any more.

BernieM

Reply to
BernieM

Also came across this on the catIOS switchs

Switch(config)#errdisable detect cause dhcp-rate-limit

Reply to
the_jonesboys_posse

Also came across this on the catIOS switchs

Switch(config)#errdisable detect cause dhcp-rate-limit

Reply to
the_jonesboys_posse

formatting link

I just noticed my suggestion doesn't address rule #2 "deny 'some' hosts from accessing the dns". With that one there's not much else to do except block addresses individually. Have you tried to contact the sys admins responsible for each address? Sometimes it's a misconfiguration on their part and they appreciate having someone tell them about it ... sometimes not.

BernieM

Reply to
BernieM

I don't know about #3 (some other responses mentioned a DHCP rate limit, but not DNS), but #1 and #2 can be done easily with extended ACLs:

access-list 101 deny udp host x.x.x.x any eq domain access-list 101 deny tcp host x.x.x.x any eq domain access-list 101 deny udp host y.y.y.y any eq domain access-list 101 deny tcp host y.y.y.y any eq domain ... access-list 101 permit udp any host eq domain access-list 101 permit tcp any host eq domain

Reply to
Barry Margolin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.