Author: James Sella
PHREL is written in C to track the rate of incoming traffic on a per-host basis and insert a chain into iptables when a configured threshold is crossed. The inserted chain may either rate limit or completely block the offending host for a period of time and will be automatically removed when the offending host’s traffic levels return to normal. PHREL can be used with any type of traffic, but it is particularly well suited to protecting name servers from random hosts that flood DNS requests, and preventing SSH brute force login attempts.
To use the GPL-licensed PHREL to protect your name server, install it directly on the server by following the install instructions.
Once PHREL is installed, it can be configured to accept thresholds and other settings either via the command line or a configuration file. For the purposes of this article, we’ll stick with the command line.
Since we’re protecting a name server, we’ll need to tell phreld, the PHREL daemon, to track incoming traffic on UDP port 53 (DNS) and specify what behavior we’d like for each threshold. The command below instructs phreld to use a threshold of 50 packets per second, with traffic being rate-limited to 25pps if that threshold is crossed. Additionally, a threshold of 150pps is configured, with traffic being completely blocked if a host reaches that traffic level.
> /usr/local/bin/phreld -P udp -p 53 -T50:25 -T150:0
If you have hosts that you’d like PHREL to not block or enforce rate limiting against, you can use the -X
(exclude) option. The IP address of the host on which phreld is run is automatically excluded. So, if you’d like to exclude servers within 39.250.66.0/24 and the host 23.120.42.2, modify the command line above like so:
> /usr/local/bin/phreld -P udp -p 53 -T50:25 -T150:0 -X 39.250.66.0/24 -X 23.120.42.2
As PHREL takes action against abusive hosts, it will log everything it does to syslog. Optionally, PHREL can be configured to generate SNMP traps, which allows for easy integration with a network management system.
There are many more options available to customize how PHREL operates, as described in its man page. The software also provides a support forum.
James Sella is the Manager of IP Engineering at Time Warner Telecom and is the author of PHREL and other open source software.