What are these entries in the log file (blocking)
Mark Andrews
Mark_Andrews at isc.org
Tue Jan 27 22:17:32 UTC 2009
In message <260425.38131.qm at web38201.mail.mud.yahoo.com>, W Sanders writes:
> The easy way to block people trying to DoS you, without needing a firewall, is to just null route their IP: "add route
> 1.2.3.4 127.0.0.1". Of course this blocks ALL traffic from that IP, but in most cases the IP trying to DoS you is someo
> ne you don't care about anyway. If you have an authoritative server, this has the side effect of blocking them from get
> ting any DNS about your domain - USUALLY a good thing.
>
> Remember to remove the route after a while (in Unix with an "at" job) so a year from now you or another sysadmin isn't
> completely confused - the routing table on a server isn't exactly the first thing one looks at.
>
> You can also write a script that grabs these IPs out of the syslog and automatically null routes them. Call it "intrusi
> on detection" if you will.
>
> -w
Which does collateral damage.
Complain to your ISP if you are receiving these forged queries.
they should be tracked back to their source and eliminated.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list