Discuss mailing list

[<kennytaylor AT runbox.com>]

Heh yes.  The ISC.org packets I'm receiving look like this:

IP Header:  20 bytes
UDP Header:  8 bytes
UDP Payload:  36 bytes

So we're probably seeing the same thing.  The iptables rule just wants me to 
call that a 64-byte packet :)


----- Start Original Message -----
Sent: Tue, 21 May 2013 09:07:02 -0600
From: Jeff Taylor <shdwdrgn AT sourpuss.net>
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] iptables rules inefficient

> Your packets must be different than the ones I've seen.  The isc.org 
> packets I typically get are 36 bytes in length.  I am also getting 
> flooded with ANY queries for the root zone which are 28 bytes.  It would 
> be nice if the little script kiddies were smart enough to realize their 
> flood has been blocked for the last 3 months, but I guess that would 
> require them to poses more intelligence than pointing&clicking.
> 
> 
> On 05/20/2013 09:04 AM, kennytaylor AT runbox.com wrote:
> > Hi Psilo,
> >
> > I have been doing battle with the isc.org ANY queries for a month or so.  
> > Those queries are all 64 bytes in length, so I set iptables rules to 
> > handle 64-byte packets differently.  Basically this:
> >
> > - If packet length = 64, then allow up to 1/second per source IP    
> > (matches isc.org ANY queries)
> >      - Drop all 64-byte packets in excess of above rule
> > - If packet length = 56, then allow up to 1/second per source IP
> >
> > ----- Start Original Message -----
> > Sent: Mon, 20 May 2013 16:23:00 +0200
> > From: Psilo <dns AT psilo.org>
> > To: "discuss AT lists.opennicproject.org" <discuss AT lists.opennicproject.org>
> > Subject: [opennic-discuss] iptables rules inefficient
> >
> >> Dear OpenNIC,
> >>
> >> I have setup my iptables rules according to the wiki but still getting a
> >> lot of unwanted traffic with isc.org and ripe.net.
> >> Here is the output of dnstop:
> >>
> >> Query Name           Count      %
> >> ---------------- --------- ------
> >> ripe.net               590   54.2
> >> isc.org                406   37.3
> >> cnr.it                  13    1.2
> >> akamaiedge.net           6    0.6
> >> 140.in-addr.arpa         6    0.6
> >> 125.in-addr.arpa         5    0.5
> >> 2-0.pl                   5    0.5
> >> 86.in-addr.arpa          5    0.5
> >> multi-play.pl            4    0.4
> >> multi-play.eu            4    0.4
> >> net.pl                   4    0.4
> >> 202.in-addr.arpa         3    0.3
> >> 46.in-addr.arpa          3    0.3
> >> 91.in-addr.arpa          3    0.3
> >>
> >> I have setup the following iptables rules which were supposed to block 
> >> this
> >> traffic:
> >>
> >> # isc.org
> >> -A DNSFILTER -p udp -m string --hex-string
> >> "|00000000000103697363036f726700|" --algo bm --dport 53 -j DROP
> >> # ripe.net
> >> -A DNSFILTER -p udp -m string --hex-string
> >> "|0000000000010472697065036e6574|" --algo bm --dport 53 -j DROP
> >>
> >> The "ddos.pl" script is neither efficient.
> >>
> >> I am getting annoyed by my provider who wants to cut the server because 
> >> of
> >> this traffic.
> >>
> >> Can you please help me figure what's wrong? Do you have a more aggressive
> >> version of this filters?
> >>
> >> Thanks
> >> Psilo
> >>
> >>
> >> --------
> >> You are a member of the OpenNIC Discuss list.
> >> You may unsubscribe by emailing 
> >> discuss-unsubscribe AT lists.opennicproject.org
> > ----- End Original Message -----
> >
> >
> > --------
> > You are a member of the OpenNIC Discuss list.
> > You may unsubscribe by emailing 
> > discuss-unsubscribe AT lists.opennicproject.org
> 
> 
> 
> --------
> You are a member of the OpenNIC Discuss list. 
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

----- End Original Message -----