Hello,
I was thinking to block only client who do attacks something like this:
/sbin/iptables --insert INPUT -s IP-ADDRESS-CLIENT-WHO-ATTACK -p udp --dport
53 -m string --from 40 --to 80 --algo bm --hex-string '|somethinghere|' -j
DROP -m comment --comment "DROP DNS DDoS"
Anyone know how
In message , "John W. Blue"
writes:
> Apologies. The intent is to drop inbound queries from the internet.
Which is just as bad if they are pointing to a delegated server or
are replies to queries from your recursive server. You slow up
Apologies. The intent is to drop inbound queries from the internet.
Sent from Nine<http://www.9folders.com/>
From: Mark Andrews <ma...@isc.org>
Sent: May 16, 2016 3:41 PM
To: John W. Blue
Cc: bind-users@lists.isc.org
Subject: Re: New type of DDoS? Anyone saw it?
In message &l
In message , "John W. Blue"
writes:
>
> Hello Marek,
>
> Do you have an IPv6 assignment? If not, there is really no need to even
> be resolving records. An overly simplistic description of a
> potential solution could be to just drop the
On Mon, May 16, 2016 at 09:20:17PM +0200, Marek Królikowski wrote:
> Hello
> I just call to one of the client who do this DDoS and he confirm, he use UBI
> devices
> Anyone know how to block all query like this: "query 331.206.372.214 IN
> " with random AAA.XXX.YYY.ZZZ address?
o:bert.hub...@netherlabs.nl]
Sent: Monday, May 16, 2016 5:45 PM
To: Marek Królikowski <ad...@wset.edu.pl>
Cc: bind-users@lists.isc.org
Subject: Re: New type of DDoS? Anyone saw it?
On Mon, May 16, 2016 at 05:03:01PM +0200, Marek Królikowski wrote:
> Today i saw my bind eat almost 90%
On Mon, May 16, 2016 at 05:03:01PM +0200, Marek Królikowski wrote:
> Today i saw my bind eat almost 90% of RAM when i check logs I find
> interesting DDoS on my DNS Cluster today:
> 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: 323.016.231.212
> IN + (8X.1X0.Y.Y)
This may be
Hello Marek,
Do you have an IPv6 assignment? If not, there is really no need to even be
resolving records. An overly simplistic description of a potential
solution could be to just drop the incoming request via its hex value in
much the same way rate limiting is done for the "any"
8 matches
Mail list logo