random dns queries with random sources

Steve Clark sclark at netwolves.com
Thu Feb 20 18:08:05 UTC 2014


On 02/20/2014 08:57 AM, Pavel Zeleny wrote:
> Masataka Ohta <mohta <at> necom830.hpcl.titech.ac.jp> writes:
>
>> Joe Maimon wrote:
>>
>>> What is the purpose of this?
> ...
>> 						Masataka Ohta
>>
> Hi guys,
> for a second, have you any clue how to block this traffic on DNS server
> side? As our company operates recursive resolvers for our customers, we can
> see this weird traffic concentrated in our logs. It started Feb 3 about
> 16:30 (GMT/UTC+1). Very large amount of DNS A queries are sent from source
> IP addresses of our customers, and they always looks like
> [randomjunk].SLD.com. We have seen 143 this SLD's so far, and we had to
> block it manually one by one.
> We suspect some kind of botnet, because attack wave with new SLD's starts at
> the same time, coming from broad range of valid non-spoofed source IP
> addresses. Content of UDP packets belonging to this traffic doesn't seem to
> have any identical pattern.
>
> Any ideas are highly appreciated.
> Thank you!
>
> Pavel Zeleny
>
>
iptables -A INPUT -p udp --dport 53 -m hashlimit \
    --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
    --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

So, every prefix (length 28) can send 20 r/s with allowed bursts of
100. This requires a Netfilter >= 1.4 (recent options of module hashlimit).


-- 
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com


More information about the NANOG mailing list