Re: [SLUG] dns attack

Alex Samad Mon, 26 Jan 2009 22:41:23 -0800

On Tue, Jan 27, 2009 at 01:15:25PM +1100, Daniel Pittman wrote:
> Alex Samad <[email protected]> writes:
> 
> > I was wondering how many other people are getting flooded with 
> > named[29134]: client 63.217.28.226#17705: query (cache) './NS/IN' denied
> > dns DDOS attacks ?
> 
> Everyone; it is hugely prevalent at the moment, and it can be very hard
> to handle the situation nicely with the currently available tools.
> 
> http://isc.sans.org/diary.html?storyid=5713


interesting, I have modified my firewall (based on my ssh filtering)

IPT='/usr/sbin/iptables'
if [ ! -e $IPT ]
then
        echo "Unable to find $IPT setting to #"
        IPT='#'
fi
                

        #$IPT -t filter --new-chain DNS
        $IPT -t filter --flush DNS
        
        # DNS
        $IPT -t filter -A DNS -m recent --set --name DNS 
        $IPT -t filter -A DNS -m recent --name DNS ! --rcheck --seconds
3600 --hitcount 8 --jump ACCEPT
        # Well, the NEW connection has been seen so let's update the DNS
        # recent list.
        $IPT -t filter -A DNS -m recent --name DNS --update
        $IPT -t filter -A DNS -m recent --set --name DNSLOG 
        $IPT -t filter -A DNS -m recent --name DNSLOG ! --rcheck
--seconds 3600 --hitcount 4 --jump ULOG $ULOG_OPTIONS --ulog-prefix
"sydrt01 (DNS)"
        # Well, the NEW connection has been seen so let's update the DNS
        # recent list.
        $IPT -t filter -A DNS -m recent --name DNSLOG --update
        #$IPT -t filter -A DNS -j DROP
        #$IPT -t filter -A DNS -j REJECT --reject-with
icmp-port-unreachable
        $IPT -t filter -A DNS -j REJECT --reject-with
icmp-host-unreachable


I kind of figure that the dns records should be cached for more than an
hour anyway so.

doesn't stop them getting down my adsl link, but atleast it keeps them
off my dns server :{


> 
> Regards,
>         Daniel
> -- 
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
> 

-- 
"I don't see why it matters what is written. Not when it's about people.
It can always be crossed out."
        -- (Terry Pratchett & Neil Gaiman, Good Omens)

signature.asc
Description: Digital signature

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] dns attack

Reply via email to