random dns queries with random sources

• Previous message (by thread): random dns queries with random sources
• Next message (by thread): Deadline Approaching [was: Ad Hoc BCOP Committee - Call for Volunteers]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 02/20/2014 08:57 AM, Pavel Zeleny wrote:
> Masataka Ohta <mohta <at> necom830.hpcl.titech.ac.jp> writes:
>
>> Joe Maimon wrote:
>>
>>> What is the purpose of this?
> ...
>> 						Masataka Ohta
>>
> Hi guys,
> for a second, have you any clue how to block this traffic on DNS server
> side? As our company operates recursive resolvers for our customers, we can
> see this weird traffic concentrated in our logs. It started Feb 3 about
> 16:30 (GMT/UTC+1). Very large amount of DNS A queries are sent from source
> IP addresses of our customers, and they always looks like
> [randomjunk].SLD.com. We have seen 143 this SLD's so far, and we had to
> block it manually one by one.
> We suspect some kind of botnet, because attack wave with new SLD's starts at
> the same time, coming from broad range of valid non-spoofed source IP
> addresses. Content of UDP packets belonging to this traffic doesn't seem to
> have any identical pattern.
>
> Any ideas are highly appreciated.
> Thank you!
>
> Pavel Zeleny
>
>
iptables -A INPUT -p udp --dport 53 -m hashlimit \
    --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
    --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

So, every prefix (length 28) can send 20 r/s with allowed bursts of
100. This requires a Netfilter >= 1.4 (recent options of module hashlimit).


-- 
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com

• Previous message (by thread): random dns queries with random sources
• Next message (by thread): Deadline Approaching [was: Ad Hoc BCOP Committee - Call for Volunteers]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]