Hello,
I was thinking to block only client who do attacks something like this:
/sbin/iptables --insert INPUT -s IP-ADDRESS-CLIENT-WHO-ATTACK -p udp --dport
53 -m string --from 40 --to 80 --algo bm --hex-string '|somethinghere|' -j
DROP -m comment --comment "DROP DNS AAAA DDoS"
Anyone know how must look proper iptables --hex-string to block all AAAA
with IP address: AAA.BBB.CCC.DDD
Best Regards
Marek
In message <e7f58592-1570-494f-a530-97e54b8c04cf at rrcic.com>, "John W.
Blue" writes:
Hello Marek,
Do you have an IPv6 assignment? If not, there is really no need to even
be resolving AAAA records. An overly simplistic description of a
potential solution could be to just drop the incoming AAAA request via
its hex value in much the same way rate limiting is done for the "any"
query:
-hex-string '|0000FF0001|'
I don't know off hand what the hex value for AAAA is but it should not be
too hard to find.
John
Just dropping AAAA queries is a bad idea as most machines actually
have a AAAA addresses (loopback and linklocal) so just about every
application makes AAAA queries. If you drop AAAA queries you slow
up every address lookup in your network.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
