Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

Sorry I'm late to the party.. but yes, the ddosBlock script is intended 
exactly for this sort of thing.  Most of these attacks will in fact come 
on port 25345, however I started seeing similar instances that were 
hitting other port numbers.  The key to identifying this type of attack 
is the fact that it *always* comes in on the same port number while it 
is running.  (A normal packet would come on random port numbers.)

The current version of the script will identify this kind of attack on 
any port, and aimed at any target.  As Julian mentioned, it must be run 
as the root user - others have had problems trying to run this script 
under sudo.  Also as mentioned, you should run this script ONCE and let 
it form into the background using & on the command.  It should be pretty 
easy on your cpu and memory.

If you have any problems with it, shout at me on IRC (shdwdrgn) and 
we'll see what needs tweaked.


On 03/08/2012 04:24 PM, Peter Green wrote:
> Hi,
>
> I am getting this line in my named log about once per second...
>
> "08-Mar-2012 23:10:30.885 client 212.227.135.196#80: query: isc.org IN 
> ANY +ED (83.142.229.97)"
>
> It seems to be an extremely close match to the attack mentioned here...
> http://wiki.opennicproject.org/ddosBlock
>
> That script seems to be aimed at port 25345 where as my log seems to 
> show port 80.
>
> Will Jeff's script help and if so, do I simply run it from crontab 
> every second?
>
> I am concerned this may start to impact the websites I am hosting on 
> that server.
>
> I have never added this server to the public list, and wonder why it's 
> being targeted.
>
> I hope someone can help.
>
> Peter