denied NS/IN

Mark Andrews Mark_Andrews at isc.org
Fri Jan 23 22:57:05 UTC 2009 

In message <F4058B15-888B-4CBD-B682-2EA2E1889721 at stupendous.net>, Nathan Ollerenshaw writes:
> On 21/01/2009, at 10:40 AM, Scott Haneda wrote:
> 
> > Hello, looking at my logs today, I am getting hammered with these:
> > 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:  
> > query (cache) './NS/IN' denied
> > 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:  
> > query (cache) './NS/IN' denied
> >
> > Repeated over and over, how do I tell what they are, and if they are  
> > bad, what is the best way to block them?
> > --
> > Scott
> 
> Scott,
> 
> As you know, these are spoofed queries, created in the hope that you  
> will reflect traffic back to these IPs to assist in DDoSing them.
> 
> Patrik Rak posted to my blog an iptables rule, which is useful for  
> those of us running linux, that drops this specific type of recursive  
> query; namely IN NS queries against '.'.
> 
> iptables -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
> "0>>22&0x3C at 12>>16=1&&0>>22&0x3C at 20>>24=0&&0>>22&0x3C at 21=0x00020001"
> 
> I've tested it, and it appears effective. I now have blessed silence  
> in my logfiles.

	You you don't also have blessed silence on the counters
	on this rule there is still a problem and you should be
	complaining to whoever is sending the packets to you.

	This just stops the amplification it doesn't clear up the
	problem.
 
> Ideally it'd be great to be able to track back through the internet  
> and get every single network operator to implement BCP 38, but while  
> that's getting done (and good luck with that), you at least have a  
> workaround.
> 
> At least until the kiddies change what kind of query they use ... god  
> forbid they work out what names an authoritative nameserver WILL  
> respond to and query that.
> 
> Hope this helps,
> 
> Nathan.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list