dns-operations AT lists.opennicproject.org
Subject: Dns-operations mailing list
List archive
- From: Jeff Taylor <shdwdrgn AT sourpuss.net>
- To: dns-operations AT lists.opennicproject.org
- Subject: [opennic-dns-operations] Update on blocking attacks
- Date: Fri, 15 Feb 2013 15:03:48 -0700
Yesterday my T2 server was attacked again. The attacker was spoofing IPs from all over, but the queries were specifically asking for ANY from the root zone. I'm not certain if this was meant to shut down my own service, or if for some reason they were trying to take down all of the ICANN roots at once? Regardless, it had a significant effect on my connection.
While digging around, I came across the following rules:
-p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
-p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 4 -j DROP
These two lines watch for ANY queries, and if the IP requests more than 3 per minute, they are dropped.
I've been noticing that the attack scripts seem to be getting smarter lately. If my server stops helping with their attack, they stop trying to use me after awhile. If this is true, it would have to mean at least one of the IPs used in the attack is the legitimate home of the attacker. Not sure if that helps us any, but I thought I would mention it.
So currently, I have the following added to my firewall, which is run after my firewall is started. Since these lines are inserted at the beginning of the INPUT chain, they are listed in reverse order. The two rules above need to remain in the given order, while the other two rules below are individually tailored for specific attacks and do not matter where they get inserted.
iptables -I INPUT -p udp -m string --hex-string "|00000000000103697363036f726700|" --algo bm --to 65535 --dport 53 -j DROP
iptables -I INPUT -p udp -m string --hex-string "|0000000000010472697065036e6574|" --algo bm --to 65535 --dport 53 -j DROP
iptables -I INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 4 -j DROP
iptables -I INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
- [opennic-dns-operations] Update on blocking attacks, Jeff Taylor, 02/15/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Peter Green, 02/15/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Jeff Taylor, 02/15/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Peter Green, 02/17/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Stefan Sabolowitsch, 02/16/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Jeff Taylor, 02/15/2013
- Re: [opennic-dns-operations] Update on blocking attacks, kennytaylor, 02/15/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Peter Green, 02/15/2013
Archive powered by MHonArc 2.6.19.