dns-operations AT lists.opennicproject.org
Subject: Dns-operations mailing list
List archive
- From: Bryon Eldridge <barkerjr AT barkerjr.net>
- To: dns-operations AT lists.opennicproject.org
- Subject: [opennic-dns-operations ] Operation Global Blackout
- Date: Fri, 30 Mar 2012 06:37:09 -0400
All,
With the possibility of attack from Anonymous tomorrow, here are
Firewall rules that might help. I recommend all Tier 2 operators
install them. It basically blocks the root servers from querying your
server, which they should never do. Note that the dport is important,
because the root servers do need to be able to send replies to your
server for lookups of .arpa, but they won't be on your port 53.
iptables -A INPUT -p udp -m udp --dport 53 -s 198.41.0.4 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 192.228.79.201 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 192.33.4.12 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 128.8.10.90 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 192.203.230.10 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 192.5.5.241 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 192.112.36.4 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 128.63.2.53 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 192.36.148.17 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 192.58.128.30 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 193.0.14.129 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 199.7.83.42 -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -s 202.12.27.33 -j DROP
ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:503:ba3e::2:30 -j DROP
ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:478:65::53 -j DROP
ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:500:2::c -j DROP
ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:500:2d::d -j DROP
ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:500:2f::f -j DROP
ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:500:1::803f:235 -j DROP
ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:7fe::53 -j DROP
ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:503:c27::2:30 -j DROP
ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:7fd::1 -j DROP
ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:500:3::42 -j DROP
ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:dc3::35 -j DROP
Enjoy!
- [opennic-dns-operations ] Operation Global Blackout, Bryon Eldridge, 03/30/2012
- Re: [opennic-dns-operations ] Operation Global Blackout, Alex Hanselka, 03/30/2012
Archive powered by MHonArc 2.6.19.