I am seeing (as I suspect are many others) DNS requests from various (forged) IPs requesting root DNS servers.
This a form of DoS attack on the forged IP – they send streams of these requests to a huge number of DNS servers which respond with lists of the root servers to the unfortunate victim.
Besides not wanting to participate in these attacks, the volume of traffic generated is non negligible (several GB per day).
A simple firewall rule to drop packets destined for port 53 from the IP(s) being hammered works - until they choose a new set of IPs to attack. Continually updating the firewall rule is not a lot of fun.
What I tried to do was to adapt the rule to add Extra/Dst. Limit (via WinBox).
I set it up thus:
Rate: 30/min
Burst: 0
Limit By: addresses and dst port
Expire: 1000000
Removed the source address.
otherwise left the same.
4 ;;; Block DNS hog
chain=forward action=drop protocol=udp dst-port=53
dst-limit=30/1m,0,addresses-and-dst-port/2h46m40s
What I expected to happen was that packets from to on port 53
Would exceed 30 per minute, get added to some internal list, and henceforth dropped to 1,000 seconds.
Didn’t work that way. Nothing seemed to happen, the rogue packets continued to be passed.
So, what am I doing wrong, and does anyone have any better ideas?