denied NS/IN
Mark Andrews
Mark_Andrews at isc.org
Fri Jan 23 22:57:05 UTC 2009
In message <F4058B15-888B-4CBD-B682-2EA2E1889721 at stupendous.net>, Nathan Ollerenshaw writes:
> On 21/01/2009, at 10:40 AM, Scott Haneda wrote:
>
> > Hello, looking at my logs today, I am getting hammered with these:
> > 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:
> > query (cache) './NS/IN' denied
> > 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:
> > query (cache) './NS/IN' denied
> >
> > Repeated over and over, how do I tell what they are, and if they are
> > bad, what is the best way to block them?
> > --
> > Scott
>
> Scott,
>
> As you know, these are spoofed queries, created in the hope that you
> will reflect traffic back to these IPs to assist in DDoSing them.
>
> Patrik Rak posted to my blog an iptables rule, which is useful for
> those of us running linux, that drops this specific type of recursive
> query; namely IN NS queries against '.'.
>
> iptables -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
> "0>>22&0x3C at 12>>16=1&&0>>22&0x3C at 20>>24=0&&0>>22&0x3C at 21=0x00020001"
>
> I've tested it, and it appears effective. I now have blessed silence
> in my logfiles.
You you don't also have blessed silence on the counters
on this rule there is still a problem and you should be
complaining to whoever is sending the packets to you.
This just stops the amplification it doesn't clear up the
problem.
> Ideally it'd be great to be able to track back through the internet
> and get every single network operator to implement BCP 38, but while
> that's getting done (and good luck with that), you at least have a
> workaround.
>
> At least until the kiddies change what kind of query they use ... god
> forbid they work out what names an authoritative nameserver WILL
> respond to and query that.
>
> Hope this helps,
>
> Nathan.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list