Discuss mailing list

[Psilo <dns AT psilo.org>]

Dear OpenNIC,

I have setup my iptables rules according to the wiki but still getting a lot of unwanted traffic with isc.org and ripe.net.

Here is the output of dnstop:

Query Name           Count      %
---------------- --------- ------
ripe.net               590   54.2
isc.org                406   37.3
cnr.it                  13    1.2
akamaiedge.net           6    0.6
140.in-addr.arpa         6    0.6
125.in-addr.arpa         5    0.5
2-0.pl                   5    0.5
86.in-addr.arpa          5    0.5
multi-play.pl            4    0.4
multi-play.eu            4    0.4
net.pl                   4    0.4
202.in-addr.arpa         3    0.3
46.in-addr.arpa          3    0.3
91.in-addr.arpa          3    0.3

I have setup the following iptables rules which were supposed to block this traffic:

# isc.org
-A DNSFILTER -p udp -m string --hex-string "|00000000000103697363036f726700|" --algo bm --dport 53 -j DROP
# ripe.net
-A DNSFILTER -p udp -m string --hex-string "|0000000000010472697065036e6574|" --algo bm --dport 53 -j DROP

The "ddos.pl" script is neither efficient.

I am getting annoyed by my provider who wants to cut the server because of this traffic.

Can you please help me figure what's wrong? Do you have a more aggressive version of this filters?

Thanks
Psilo