On 2026-04-09 23:19, Trevor Cordes wrote:
Ideas before they get the banhammer?
Without knowing the back end... any opportunity to rate limit? How I've handed similar in the past was at the firewall level (excuse the openbsd PF parlance). # where egress is the 'upstream interface' group DNS_RESOLVERS="10.0.0.53 10.0.1.53" # ban abusers for an hour table <dns_abusers> persist timeout 3600 table <dns_bypass> persist file "/var/db/dns_bypass.txt" # Never block or rate limit some hosts. pass in quick on egress proto tcp from <dns_bypass> from any to $DNS_RESOLVERS port 53 pass in quick on egress proto udp from <dns_bypass> from any to $DNS_RESOLVERS port 53 block in drop quick on egress from <dns_abusers> # NOT RETURN, just ignore for duration #If an IP makes more than 100 connections via UDP in 10 seconds, it gets flagged pass in on egress proto udp to port 53 \ keep state (max-src-conn-rate 100/10, overload <dns_abusers> flush global) #If an IP makes more than 50 TCP connections in 10 seconds, it gets flagged pass in quick on egress proto tcp from any to $DNS_RESOLVERS port 53 \ flags S/SA synproxy state \ (max-src-conn 5, max-src-conn-rate 50/10, \ overload <dns_abusers> flush global) I'm sure there are similar cloudy ways to do similarly? Just a random idea. -- Sean