Re: denied NS/IN

Fri, 23 Jan 2009 14:58:10 -0800 

In message <f4058b15-888b-4cbd-b682-2ea2e1889...@stupendous.net>, Nathan 
Ollerenshaw writes:
> On 21/01/2009, at 10:40 AM, Scott Haneda wrote:
> 
> > Hello, looking at my logs today, I am getting hammered with these:
> > 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:  
> > query (cache) './NS/IN' denied
> > 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:  
> > query (cache) './NS/IN' denied
> >
> > Repeated over and over, how do I tell what they are, and if they are  
> > bad, what is the best way to block them?
> > --
> > Scott
> 
> Scott,
> 
> As you know, these are spoofed queries, created in the hope that you  
> will reflect traffic back to these IPs to assist in DDoSing them.
> 
> Patrik Rak posted to my blog an iptables rule, which is useful for  
> those of us running linux, that drops this specific type of recursive  
> query; namely IN NS queries against '.'.
> 
> iptables -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
> "0>>22&0...@12>>16=1&&0>>22&0...@20>>24=0&&0>>22&0...@21=0x00020001"
> 
> I've tested it, and it appears effective. I now have blessed silence  
> in my logfiles.

        You you don't also have blessed silence on the counters
        on this rule there is still a problem and you should be
        complaining to whoever is sending the packets to you.

        This just stops the amplification it doesn't clear up the
        problem.
 
> Ideally it'd be great to be able to track back through the internet  
> and get every single network operator to implement BCP 38, but while  
> that's getting done (and good luck with that), you at least have a  
> workaround.
> 
> At least until the kiddies change what kind of query they use ... god  
> forbid they work out what names an authoritative nameserver WILL  
> respond to and query that.
> 
> Hope this helps,
> 
> Nathan.
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: mark_andr...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to