Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

Your packets must be different than the ones I've seen.  The isc.org 
packets I typically get are 36 bytes in length.  I am also getting 
flooded with ANY queries for the root zone which are 28 bytes.  It would 
be nice if the little script kiddies were smart enough to realize their 
flood has been blocked for the last 3 months, but I guess that would 
require them to poses more intelligence than pointing&clicking.


On 05/20/2013 09:04 AM, kennytaylor AT runbox.com wrote:
> Hi Psilo,
>
> I have been doing battle with the isc.org ANY queries for a month or so.  
> Those queries are all 64 bytes in length, so I set iptables rules to handle 
> 64-byte packets differently.  Basically this:
>
> - If packet length = 64, then allow up to 1/second per source IP    (matches 
> isc.org ANY queries)
>      - Drop all 64-byte packets in excess of above rule
> - If packet length = 56, then allow up to 1/second per source IP
>
> ----- Start Original Message -----
> Sent: Mon, 20 May 2013 16:23:00 +0200
> From: Psilo <dns AT psilo.org>
> To: "discuss AT lists.opennicproject.org" <discuss AT lists.opennicproject.org>
> Subject: [opennic-discuss] iptables rules inefficient
>
> > Dear OpenNIC,
> >
> > I have setup my iptables rules according to the wiki but still getting a
> > lot of unwanted traffic with isc.org and ripe.net.
> > Here is the output of dnstop:
> >
> > Query Name           Count      %
> > ---------------- --------- ------
> > ripe.net               590   54.2
> > isc.org                406   37.3
> > cnr.it                  13    1.2
> > akamaiedge.net           6    0.6
> > 140.in-addr.arpa         6    0.6
> > 125.in-addr.arpa         5    0.5
> > 2-0.pl                   5    0.5
> > 86.in-addr.arpa          5    0.5
> > multi-play.pl            4    0.4
> > multi-play.eu            4    0.4
> > net.pl                   4    0.4
> > 202.in-addr.arpa         3    0.3
> > 46.in-addr.arpa          3    0.3
> > 91.in-addr.arpa          3    0.3
> >
> > I have setup the following iptables rules which were supposed to block this
> > traffic:
> >
> > # isc.org
> > -A DNSFILTER -p udp -m string --hex-string
> > "|00000000000103697363036f726700|" --algo bm --dport 53 -j DROP
> > # ripe.net
> > -A DNSFILTER -p udp -m string --hex-string
> > "|0000000000010472697065036e6574|" --algo bm --dport 53 -j DROP
> >
> > The "ddos.pl" script is neither efficient.
> >
> > I am getting annoyed by my provider who wants to cut the server because of
> > this traffic.
> >
> > Can you please help me figure what's wrong? Do you have a more aggressive
> > version of this filters?
> >
> > Thanks
> > Psilo
> >
> >
> > --------
> > You are a member of the OpenNIC Discuss list.
> > You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
> ----- End Original Message -----
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org