ddos reflection attack
Alan Clifford
sardines at purse-seine.net
Sun Jan 18 14:13:09 UTC 2009
Hello, someone suggest I ask in here.
>From the log:
16-Jan-2009 19:42:17.105 queries: info: client 69.50.137.175#49046: query:
. IN NS +
16-Jan-2009 19:42:17.215 queries: info: client 69.50.137.175#1521: query:
. IN NS +
16-Jan-2009 19:42:18.495 queries: info: client 69.50.137.175#1007: query:
. IN NS +
16-Jan-2009 19:42:18.599 queries: info: client 69.50.137.175#27729: query:
. IN NS +
16-Jan-2009 19:42:19.150 queries: info: client 69.50.137.175#46079: query:
. IN NS +
16-Jan-2009 19:42:21.168 queries: info: client 69.50.137.175#47562: query:
. IN NS +
16-Jan-2009 19:42:21.336 queries: info: client 69.50.137.175#16400: query:
. IN NS +
I understand the the idea of this is that multiple nameservers, including
mine, respond to the spoofed ip address.
As a temporary measure I have blocked the target's /20 ip addresses for
udp for port 53 in my router (blocked seems to mean drop as far as I can
tell from the logs).
I have also tried a more generic iptables solution but I am worried that
this might have adverse affects in legitimate queries, such as from ny
secondaries:
iptables -I INPUT -p udp --dport 53 -i eth0 -s ! 81.187.211.32/28 -m state
--state NEW -m recent \
--set
iptables -I INPUT -p udp --dport 53 -i eth0 -s ! 81.187.211.32/28 -m
state --state NEW -m recent \
--update --seconds 60 --hitcount 20 -j DROP
I tried it with a it count of 30 and that stopped it working and I don't
know why.
I should be be grateful for any advice here because, I understand, I could
be regarded as attacking 69.50.137.175.
--
Alan
( If replying by mail, please note that all "sardines" are canned.
However, unless this a very old message, a "tuna" will swim right
through. )
More information about the bind-users
mailing list