LF_BIND not blocking DNS UDP 53 traffic
Posted: 14 Oct 2014, 20:16
When configuring LF_BIND for detection of repeated BIND denied requests, LFD detects and temporarily blocks TCP port 53 for the offending IP address but leaves UDP port 53 open for the attacks to continue. This can be verified by examining the temporary block list and the active IP tables rules.
Example:
1 0 0 DROP tcp -- !lo * 192.221.138.116 0.0.0.0/0 tcp dpt:53
Eventually the IP reaches the LF_PERMBLOCK_COUNT and all traffic is dropped for the offending IP, but this should have been done sooner using temporary blocks.
Per specs, DNS uses both TCP and UDP port 53 to respond to queries.
From all of my testing this appears to be a bug and I am unable to find a way to configure LFD to block UDP port 53 as well for DNS so I am reporting this as such.
Example:
1 0 0 DROP tcp -- !lo * 192.221.138.116 0.0.0.0/0 tcp dpt:53
Eventually the IP reaches the LF_PERMBLOCK_COUNT and all traffic is dropped for the offending IP, but this should have been done sooner using temporary blocks.
Per specs, DNS uses both TCP and UDP port 53 to respond to queries.
From all of my testing this appears to be a bug and I am unable to find a way to configure LFD to block UDP port 53 as well for DNS so I am reporting this as such.