Brian Schang wrote: > Hello: > > Tom Eastep wrote: >> I've place my DNSDDOS action files at >> http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the >> aaREADME.txt file. >> >> Shorewall-perl users should be able to use it as-is. > > The filter seems to be working well. But I've still seem some sporadic > client 213.61.92.192#23951: query (cache) './NS/IN' denied > in my logfile. > > I did some investigation and found that the hexstring is a bit different > than what is in your rule. Here is a comparison: > > Your: 0100 0001 0000 0000 0000 0000 0200 01 > Mine: 0000 0001 0000 0000 0000 0000 0200 01 > ^ > Difference > > As per Wireshark, your rule is looking for a recursive query, while the > packets I've been seeing are looking for a non-recursive query. > > Questions: is what I'm seeing another variant of the DNSDDOS attack, or > am I maybe seeing these for some legitimate reason? > > Thanks for any input you have, and thanks for a great product! >
Looks like another variant -- I'll update the action. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
