Hello:
Tom Eastep wrote:
> I've place my DNSDDOS action files at
> http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the
> aaREADME.txt file.
>
> Shorewall-perl users should be able to use it as-is.
The filter seems to be working well. But I've still seem some sporadic
client 213.61.92.192#23951: query (cache) './NS/IN' denied
in my logfile.
I did some investigation and found that the hexstring is a bit different
than what is in your rule. Here is a comparison:
Your: 0100 0001 0000 0000 0000 0000 0200 01
Mine: 0000 0001 0000 0000 0000 0000 0200 01
^
Difference
As per Wireshark, your rule is looking for a recursive query, while the
packets I've been seeing are looking for a non-recursive query.
Questions: is what I'm seeing another variant of the DNSDDOS attack, or
am I maybe seeing these for some legitimate reason?
Thanks for any input you have, and thanks for a great product!
--
Brian Schang
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
