In message <f4058b15-888b-4cbd-b682-2ea2e1889...@stupendous.net>, Nathan Ollerenshaw writes: > On 21/01/2009, at 10:40 AM, Scott Haneda wrote: > > > Hello, looking at my logs today, I am getting hammered with these: > > 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517: > > query (cache) './NS/IN' denied > > 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593: > > query (cache) './NS/IN' denied > > > > Repeated over and over, how do I tell what they are, and if they are > > bad, what is the best way to block them? > > -- > > Scott > > Scott, > > As you know, these are spoofed queries, created in the hope that you > will reflect traffic back to these IPs to assist in DDoSing them. > > Patrik Rak posted to my blog an iptables rule, which is useful for > those of us running linux, that drops this specific type of recursive > query; namely IN NS queries against '.'. > > iptables -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \ > "0>>22&0...@12>>16=1&&0>>22&0...@20>>24=0&&0>>22&0...@21=0x00020001" > > I've tested it, and it appears effective. I now have blessed silence > in my logfiles.
You you don't also have blessed silence on the counters on this rule there is still a problem and you should be complaining to whoever is sending the packets to you. This just stops the amplification it doesn't clear up the problem. > Ideally it'd be great to be able to track back through the internet > and get every single network operator to implement BCP 38, but while > that's getting done (and good luck with that), you at least have a > workaround. > > At least until the kiddies change what kind of query they use ... god > forbid they work out what names an authoritative nameserver WILL > respond to and query that. > > Hope this helps, > > Nathan. > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users