On 02/20/2014 08:57 AM, Pavel Zeleny wrote:
Masataka Ohta <mohta <at> necom830.hpcl.titech.ac.jp> writes:
Joe Maimon wrote:
What is the purpose of this? ... Masataka Ohta
Hi guys, for a second, have you any clue how to block this traffic on DNS server side? As our company operates recursive resolvers for our customers, we can see this weird traffic concentrated in our logs. It started Feb 3 about 16:30 (GMT/UTC+1). Very large amount of DNS A queries are sent from source IP addresses of our customers, and they always looks like [randomjunk].SLD.com. We have seen 143 this SLD's so far, and we had to block it manually one by one. We suspect some kind of botnet, because attack wave with new SLD's starts at the same time, coming from broad range of valid non-spoofed source IP addresses. Content of UDP packets belonging to this traffic doesn't seem to have any identical pattern.
Any ideas are highly appreciated. Thank you!
Pavel Zeleny
iptables -A INPUT -p udp --dport 53 -m hashlimit \ --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \ --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP So, every prefix (length 28) can send 20 r/s with allowed bursts of 100. This requires a Netfilter >= 1.4 (recent options of module hashlimit). -- Stephen Clark *NetWolves* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark@netwolves.com http://www.netwolves.com