Let me explain: (assuming that there are no other traffic shaper rules) - add pipe with name Pipe1, speed 1Kbit/s and mask "source" (leave the other variables as they are) - add rule with name Rule1 with target Pipe1, interface WAN, protocol UDP, source any, destination single host - your NATed internal server IP, destination port range DNS and direction any (leave the other variables as they are) - enable traffic shaper
This rule in general says that any single client could be able to exchange 1024bits, that's 128Bytes, which are two 64Byte DNS packets per one second.
So, if the single client asks more than the allowed DNS queries per second, it must wait for the second to pass, thus limiting the data rate, thus limiting the packet rate, thus limiting the query rate, thus limiting the growing state size table per second. This should allow normal state flushing with no overflows.
I've tried this and it works okay. for me.
A problem might occur if more than 2 DNS packets per second are required by a legitimate user, so the user would get slightly slower response (keep in mind that recursive server caching and higher DNS zone record TTL are helpful in this situation), however if this is the case raising the limit to for example 2Kbit/s would ease the situation. Keep in mind that if attacked i suggest 1Kbit/s as in the previous example. Anyhow, if bigger DNS packets are used, a value of 2Kbit/s or 4Kbit/s could be used, but still this leads to quite higher states table overflow possibility.
Note: This is not bulletproof, and then again nothing is, if the attacker obtains large amount of client servers with different IPs (larger DDoS attack) the attacker might still be able to overflow the states table or even worse choke the link. Still not worthless this strategy makes the attacker spend more resources and knowledge to attack, which makes a larger scale attack less feasible for the attacker.
If this solution does not suit Your needs, at any time You could turn off the traffic shaper or/and erase the added rules without causing any damage to Your system.
|