Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

An update to this... checking my own logs tonight, I see a new attack 
occurring.  Source port is 48849, and the query info is for "3371.rr.nu IN TXT +E"


On 06/19/2011 08:28 PM, Jeff Taylor wrote:
> We've had some small bits of discussion on IRC over the weekend regarding a 
> flood of MX queries that result in errors.  If you do any sort of logging on 
> your server, see if you can pick out any trends.
>
> One known issue to check for that might account for your sudden activity... 
> check to see if you have large blocks of DNS activity that all come in on port 
> 25345 and are looking for isc.org.  If you are seeing this, someone is trying 
> to use your server in an attempt to DDOS the creators of BIND (don't ask why, 
> nobody has been able to figure that out)... I have a bash script you can run 
> in the background that will automatically add and expire iptables rules to 
> control the flow, however it requires that you have a log file showing the 
> offending IP addresses.  Send me an email or catch me on IRC if you need to 
> use this.