On 1/18/2012 1:45 AM, Leigh Porter wrote:
On 18 Jan 2012, at 05:06, "toor"<lists@1337.mx> wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this:
At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..).
It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port.
We are seeing this too, though we don't have the kind of exposure some of the larger providers do. fwiw.. If for some reason, you can't use a dedicated box for DNS and/or a simple acl to protect services on a box, you can turn off connection tracking in iptables per-port using the NOTRACK target. iptables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK iptables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NOTRACKTAR... Ken -- Ken Anderson