Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] block new dns-amp. attack domain

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] block new dns-amp. attack domain


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Kevin Holly (Fusl)" <opennic AT lists.dedilink.eu>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] block new dns-amp. attack domain
  • Date: Mon, 21 Jul 2014 10:21:32 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Or simply use PowerDNS and configure any-to-tcp:

$ dig +notcp +ignore ANY webpanel.sk.

; <<>> DiG 9.8.3-P1 <<>> +notcp +ignore ANY webpanel.sk.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50582
;; flags: qr tc rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;webpanel.sk. IN ANY

;; Query time: 26 msec
;; SERVER: 78.47.34.12#53(78.47.34.12)
;; WHEN: Mon Jul 21 10:18:36 2014
;; MSG SIZE rcvd: 29



The tc (truncated) bit here tells the client that he didn't receive
all information over UDP and has to requery it over TCP and since
these queries are not real queries, it doesn't do any further action.
Doing an outbound rate limit of UDP answers with the truncated bit set
with iptables also helps at not taking part of DNS amplifications with
ANY? queries. Yes, I'm aware that there are also DNS amplification
attacks with A? or AAAA? or TXT? queries, but ANY? attacks are the
most seen ones.


On 17/07/14 16:28, oVPN.to Support wrote:
> check your queries for "ANY"-type requests to webpanel.sk! if you
> have them, drop it with iptables, or your server is part of dns-amp
> attack. you should not see more queries when iptables added.
>
> iptables --insert INPUT -p udp --dport 53 -m string --from 20 --to
> 40 --algo bm --hex-string
> '|0877656270616e656c02736b0000ff00010000292328|' -j DROP -m
> comment --comment "webpanel.sk"
>
>
>
>
>
> -------- You are a member of the OpenNIC Discuss list. You may
> unsubscribe by emailing
> discuss-unsubscribe AT lists.opennicproject.org
>

- --
Best regards

Kevin Holly - root AT hallowe.lt - http://hallowe.lt/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTzM2MAAoJELAaqP3QtzpMTZEH/2poEMt8Xdm/PNg+m/gE6KcS
f/fH8O2miktlqogUKl1bN2DlPlBhU8Iac7Ms20Q0Mi8Npm8G6MCBF9765G4Ig0JD
wRsJxoxR/syLWR8NYDnKMFj1t83KcUI2AZFEP92V+2b0a+w6Iqh8F7nIPjUoXeAN
YEz/HuHHCB7i0Tk56I6gobxd8s2wdeSVxMuHvGPxCSFrfpZqvpEMlRoahkdPJZfp
WKxywX64GPvQUwSPIAD/HAhk1jnRZL7xMLqKmusAE2yk99Fau4nicEwInjh89wi9
LQzBdLWEGg6jgaIur7BDQu1vdhDh7LoqZ2Vqmtjch/KjVW06iRm2+CcJJlrgLY4=
=kk6l
-----END PGP SIGNATURE-----

Archive powered by MHonArc 2.6.19.

Top of Page