November 8, 2006

PHREL beats back DNS server attacks

Author: James Sella

Running a public name server on the Internet today can be challenging, when it's exposed to a neverending flood of attacks against it. The situation is worse if you're an ISP that provides recursive lookups for customers. There are many ways to fight high traffic levels, such as adding more servers or buying specialized hardware solutions or firewalls that help to protect against abusive traffic. Another solution, if you're running your name server on a Linux system is PHREL, a Per Host RatE Limiter.The problem comes when customer hosts are compromised and used to send spam, which in turn sends thousands of DNS requests per minute to your name server as they seek their recipients' mail server addresses. Other customer hosts are configured to resolve their Web server's log file or their mail server to perform envelope verification, which results in bursts of DNS requests. The end result of these situations and others is that often your public name server becomes overworked and unable to reliably answer DNS requests for non-abusive hosts.

PHREL is written in C to track the rate of incoming traffic on a per-host basis and insert a chain into iptables when a configured threshold is crossed. The inserted chain may either rate limit or completely block the offending host for a period of time and will be automatically removed when the offending host's traffic levels return to normal. PHREL can be used with any type of traffic, but it is particularly well suited to protecting name servers from random hosts that flood DNS requests, and preventing SSH brute force login attempts.

To use the GPL-licensed PHREL to protect your name server, install it directly on the server by following the install instructions.

Once PHREL is installed, it can be configured to accept thresholds and other settings either via the command line or a configuration file. For the purposes of this article, we'll stick with the command line.

Since we're protecting a name server, we'll need to tell phreld, the PHREL daemon, to track incoming traffic on UDP port 53 (DNS) and specify what behavior we'd like for each threshold. The command below instructs phreld to use a threshold of 50 packets per second, with traffic being rate-limited to 25pps if that threshold is crossed. Additionally, a threshold of 150pps is configured, with traffic being completely blocked if a host reaches that traffic level.

> /usr/local/bin/phreld -P udp -p 53 -T50:25 -T150:0

If you have hosts that you'd like PHREL to not block or enforce rate limiting against, you can use the -X (exclude) option. The IP address of the host on which phreld is run is automatically excluded. So, if you'd like to exclude servers within 39.250.66.0/24 and the host 23.120.42.2, modify the command line above like so:

> /usr/local/bin/phreld -P udp -p 53 -T50:25 -T150:0 -X 39.250.66.0/24 -X 23.120.42.2

As PHREL takes action against abusive hosts, it will log everything it does to syslog. Optionally, PHREL can be configured to generate SNMP traps, which allows for easy integration with a network management system.

There are many more options available to customize how PHREL operates, as described in its man page. The software also provides a support forum.

James Sella is the Manager of IP Engineering at Time Warner Telecom and is the author of PHREL and other open source software.

Click Here!