Skip to Content.
Sympa Menu

dns-operations - Re: [opennic-dns-operations ] Operation Global Blackout

dns-operations AT lists.opennicproject.org

Subject: Dns-operations mailing list

List archive

Re: [opennic-dns-operations ] Operation Global Blackout


Chronological Thread 
    < Chronological >      < Thread >
  • From: Alex Hanselka <alex AT hanselka.name>
  • To: dns-operations AT lists.opennicproject.org
  • Subject: Re: [opennic-dns-operations ] Operation Global Blackout
  • Date: Fri, 30 Mar 2012 13:08:20 -0500
Doing all the leg work for me! You rock. Thanks :)

On Fri, Mar 30, 2012 at 06:37:09AM -0400, Bryon Eldridge wrote:
> All,
>
> With the possibility of attack from Anonymous tomorrow, here are
> Firewall rules that might help. I recommend all Tier 2 operators
> install them. It basically blocks the root servers from querying your
> server, which they should never do. Note that the dport is important,
> because the root servers do need to be able to send replies to your
> server for lookups of .arpa, but they won't be on your port 53.
>
> iptables -A INPUT -p udp -m udp --dport 53 -s 198.41.0.4 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 192.228.79.201 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 192.33.4.12 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 128.8.10.90 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 192.203.230.10 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 192.5.5.241 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 192.112.36.4 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 128.63.2.53 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 192.36.148.17 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 192.58.128.30 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 193.0.14.129 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 199.7.83.42 -j DROP
> iptables -A INPUT -p udp -m udp --dport 53 -s 202.12.27.33 -j DROP
>
> ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:503:ba3e::2:30 -j DROP
> ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:478:65::53 -j DROP
> ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:500:2::c -j DROP
> ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:500:2d::d -j DROP
> ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:500:2f::f -j DROP
> ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:500:1::803f:235 -j DROP
> ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:7fe::53 -j DROP
> ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:503:c27::2:30 -j DROP
> ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:7fd::1 -j DROP
> ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:500:3::42 -j DROP
> ip6tables -A INPUT -p udp -m udp --dport 53 -s 2001:dc3::35 -j DROP
>
> Enjoy!

Archive powered by MHonArc 2.6.19.

Top of Page