Re: [Shorewall-users] DNS DDoS Reflector Filter

Tue, 03 Feb 2009 11:55:36 -0800 

Tom Eastep said the following, On 02/03/2009 09:52 AM:
> Steve Ladewig wrote:
>> Tom Eastep said the following, On 01/31/2009 08:07 PM:
>>> I've place my DNSDDOS action files at
>>> http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the
>>> aaREADME.txt file.
>>>
>>> Shorewall-perl users should be able to use it as-is.
>>>
>>> -Tom
>> I am not seeing any.
>>
>> Counters reset Sun Feb  1 12:02:03 CST 2009
>>
>> Chain DNSDDOS (1 references)
>>   pkts bytes target     prot opt in     out     source 
>> destination
>>      0     0 DROP       all  --  *      *       0.0.0.0/0 
>> 0.0.0.0/0           STRING match "|010000010000000000000000020001|" ALGO 
>> name bm FROM 30 TO 31
>>   3482  210K ACCEPT     all  --  *      *       0.0.0.0/0 
>> 0.0.0.0/0
>>
>> Yet they are still coming.
>> 03-Feb-2009 09:42:46.115 client 76.9.16.171#63994: view world: query 
>> (cache) './NS/IN' denied
>>
> 
> Then you will have to use Wireshark and see what the packets that you
> are receiving look like.


I see the pattern at offset 30 but the rule misses it.
10:05:44.057686 IP 76.9.16.171.63109 > 64.108.225.55.domain: 15117+ NS? 
. (17)
         0x0000:  4500 002d c775 0000 3411 40f3 4c09 10ab
         0x0010:  406c e137 f685 0035 0019 4b9b 3b0d 0100
         0x0020:  0001 0000 0000 0000 0000 0200 0100

If I change the offset back 1 byte to 29 the rule does work.
Counters reset Tue Feb  3 13:43:16 CST 2009

Chain DNSDDOS (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     4   180 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           STRING match "|010000010000000000000000020001|" ALGO 
name bm FROM 29 TO 31
    11   627 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Thanks,
steve



------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to