On 8/3/2014 9:28 AM, Tom Eastep wrote: > On 8/3/2014 7:36 AM, Ruud Baart wrote: >> Tom, >> >> It is now nearly two month later and I can safely conclude that blocking >> the DNS cache queries works for our servers. I takes a lot of load from >> our DNS servers. >> >> Because the shorewall rule to block this attack is so effective and >> because I think we are not the only ones that are severely attacked >> would it be an idea to make this rule a documented and maintained part >> of Shorewall? If so a below a start of documenting this rule. Perhaps >> other people can help and make it a well documented part of Shorewall. > > Good idea. > >> 4. Part of the rule is --hex-string "|01000001|". This works but is >> most likely not precise enough. There is no guarantee that only the >> queries with recursion desired flags are blocked. There must be a >> way to block the packets more precisely. Perhaps with the iptables >> options "-m u32 --u32"? I'm not capable of writing such a rule. > > Have you looked at http://www.stearns.org/doc/iptables-u32.current.html? > The 'Checking for values in the UDP payload' section already shows you > how to check for DNS queries using "-m u32 --u32 ..."
There is a defect in the above article -- the query/response flag is 1 on a response, not on a query. Nevertheless, this u32 match seems to work: -m u32 --u32 "0>>22&0x3C@8&0x0100=0x0100 && 0>>22&0x3C@12>>16=1" -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
