Dns-operations mailing list

[David Norman <deekayen AT deekayen.net>]

The wiki is hard for me to track and know about changes to the ddos.pl 
script. I pasted it to a gist in hopes that someone more official will fork 
it and then I can star it to watch, and see more code-like diff files between 
updates. https://gist.github.com/3398840

On Aug 19, 2012, at 7:02 PM, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:

> Have you looked at the code on http://wiki.opennic.glue/ddosDotPl
> This script was written specifically for the amplification attack.  (Sorry 
> if we already talked about this on IRC, I'm no good at remember which names 
> go with which nicks.)
> 
> Another method of blocking this attack is shutting off that port 
> completely...
> # iptables -I INPUT -i eth0 -p udp --sport 25345 -j DROP
> 
> 
> 
> On 08/19/2012 05:03 AM, Falk Husemann wrote:
>> Hello,
>> 
>> my T2 at 46.252.139.27 was offline since yesterday 11pm til today 12am.
>> 
>> The T2 seems to have been used in an DNS Amplification DoS which
>> generated too many small UDP packets to the spoofed querying client.
>> This took my whole cable connection down (again!).
>> 
>> These are the queries (had to enable query log for one minute):
>> query.log:19-Aug-2012 12:46:41.502 client 199.115.114.218#25345:
>> query: isc.org IN ANY +ED (46.252.139.27)
>> 
>> 
>> Here is the iptables line to stop this attack:
>> iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|"
>> --algo bm -j DROP
>> 
>> Suggestions/improvements welcome!
>> 
>> Greets,
>> Falk
> >
> 
>       > ----
> 
> 
>       > To unsubscribe, email
>       
> dns-operations-unsubscribe AT lists.opennicproject.org
> 
>