Based on the wonderful work by other users in automatically blocking SSH and FTP brute force attacks, here’s a short config I came up with to block DNS attacks. I’m not sure yet what the rate should be, but it did manage to halt an amplification attack in just a few seconds.
add action=drop chain=forward comment=“DNS Attack - Drop”
in-interface=WAN src-address-list=dns_attack
add chain=forward comment=“DNS Attack - Rate Limit”
dst-limit=10/1m,20,src-address/1m dst-port=53
in-interface=WAN protocol=udp
add action=add-src-to-address-list address-list=dns_attack
address-list-timeout=3d chain=forward comment=
“DNS Attack - Add to blacklist” dst-port=53 in-interface=WAN
protocol=udpI’d be very interested to hear if anyone has any suggestions on improvements or tweaks.
Thanks!