New type of DDoS? Anyone saw it?
bert hubert
bert.hubert at netherlabs.nl
Mon May 16 19:41:44 UTC 2016
On Mon, May 16, 2016 at 09:20:17PM +0200, Marek Królikowski wrote:
> Hello
> I just call to one of the client who do this DDoS and he confirm, he use UBI
> devices....
> Anyone know how to block all AAAA query like this: "query 331.206.372.214 IN
> AAAA" with random AAA.XXX.YYY.ZZZ address?
Marek, I don't know if BIND does this natively, but the following dnsdist
statement implements this:
addAction(RegexRule("^[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}$"), DropAction())
If you want you could also do:
addAction(AndRule{QTypeRule(pdns.AAAA), RegexRule("^[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}$")}, DropAction())
Which limits it to AAAA.
The only other things you need to do are setACL() so dnsdist allows access
to the right IP addresses and newServer("192.168.1.2") to set the IP address
of your actual BIND server.
This would also get you a whole bunch of cool statistics on how well your
server is doing. For more on dnsdist, see http://dnsdist.org/
Bert
More information about the bind-users
mailing list