On 14 Feb 2003 at 14:19, David Thacker wrote: > Greetings, > > Some hosehead from 211.135.200.222 [IP1A0602.hkd.mesh.ad.jp] has been > banging my RaQ4 server with this DNS attack for over a week: > > Feb 14 12:08:42 www named[1101]: denied update from [211.135.200.222].3381 > for "targetdomain.com" IN > > The port number increase each time, and he'll go in blocks of about 50-75 > ports in a run. It's starting to bug me. > > How can I block this IP from reaching my server, specifically named? Will > listing him in /etc/hosts.deny be effective, or will that not work because > named doesn't go through inetd?
Back to the original question of blocking dns: You can block the attacker with ipchains: $IPCHAINS -A input -p tcp -s 211.135.200.22 -d $YOURIP 53 -j DENY $IPCHAINS -A input -p udp -s 211.135.200.22 -d $YOURIP 53 -j DENY replace $IPCHAINS with the path to ipchains and $YOURIP with your IP address This will only block dns, to block everything from this host, remove the '53' Regards Ian -- _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
