dns-operations AT lists.opennicproject.org
Subject: Dns-operations mailing list
List archive
- From: <kennytaylor AT runbox.com>
- To: "dns-operations" <dns-operations AT lists.opennicproject.org>
- Subject: Re: [opennic-dns-operations] Update on blocking attacks
- Date: Fri, 15 Feb 2013 15:21:38 -0800 (PST)
All quiet on my T2 here. Thanks for the iptables rules!
----- Start Original Message -----
Sent: Fri, 15 Feb 2013 15:03:48 -0700
From: Jeff Taylor <shdwdrgn AT sourpuss.net>
To: dns-operations AT lists.opennicproject.org
Subject: [opennic-dns-operations] Update on blocking attacks
> Yesterday my T2 server was attacked again. The attacker was spoofing
> IPs from all over, but the queries were specifically asking for ANY from
> the root zone. I'm not certain if this was meant to shut down my own
> service, or if for some reason they were trying to take down all of the
> ICANN roots at once? Regardless, it had a significant effect on my
> connection.
>
> While digging around, I came across the following rules:
> -p udp --dport 53 -m string --from 50 --algo bm --hex-string
> '|0000FF0001|' -m recent --set --name dnsanyquery
> -p udp --dport 53 -m string --from 50 --algo bm --hex-string
> '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60
> --hitcount 4 -j DROP
>
> These two lines watch for ANY queries, and if the IP requests more than
> 3 per minute, they are dropped.
>
> I've been noticing that the attack scripts seem to be getting smarter
> lately. If my server stops helping with their attack, they stop trying
> to use me after awhile. If this is true, it would have to mean at least
> one of the IPs used in the attack is the legitimate home of the
> attacker. Not sure if that helps us any, but I thought I would mention it.
>
> So currently, I have the following added to my firewall, which is run
> after my firewall is started. Since these lines are inserted at the
> beginning of the INPUT chain, they are listed in reverse order. The two
> rules above need to remain in the given order, while the other two rules
> below are individually tailored for specific attacks and do not matter
> where they get inserted.
>
> iptables -I INPUT -p udp -m string --hex-string
> "|00000000000103697363036f726700|" --algo bm --to 65535 --dport 53 -j DROP
> iptables -I INPUT -p udp -m string --hex-string
> "|0000000000010472697065036e6574|" --algo bm --to 65535 --dport 53 -j DROP
> iptables -I INPUT -p udp --dport 53 -m string --from 50 --algo bm
> --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck
> --seconds 60 --hitcount 4 -j DROP
> iptables -I INPUT -p udp --dport 53 -m string --from 50 --algo bm
> --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
>
>
> ----
> To unsubscribe, email dns-operations-unsubscribe AT lists.opennicproject.org
----- End Original Message -----
- [opennic-dns-operations] Update on blocking attacks, Jeff Taylor, 02/15/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Peter Green, 02/15/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Jeff Taylor, 02/15/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Peter Green, 02/17/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Stefan Sabolowitsch, 02/16/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Jeff Taylor, 02/15/2013
- Re: [opennic-dns-operations] Update on blocking attacks, kennytaylor, 02/15/2013
- Re: [opennic-dns-operations] Update on blocking attacks, Peter Green, 02/15/2013
Archive powered by MHonArc 2.6.19.