nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: random dns queries with random sources

From: Steve Clark <sclark () netwolves com>
Date: Thu, 20 Feb 2014 13:08:05 -0500
On 02/20/2014 08:57 AM, Pavel Zeleny wrote:

Masataka Ohta <mohta <at> necom830.hpcl.titech.ac.jp> writes:


Joe Maimon wrote:


What is the purpose of this?

...

                                                Masataka Ohta


Hi guys,
for a second, have you any clue how to block this traffic on DNS server
side? As our company operates recursive resolvers for our customers, we can
see this weird traffic concentrated in our logs. It started Feb 3 about
16:30 (GMT/UTC+1). Very large amount of DNS A queries are sent from source
IP addresses of our customers, and they always looks like
[randomjunk].SLD.com. We have seen 143 this SLD's so far, and we had to
block it manually one by one.
We suspect some kind of botnet, because attack wave with new SLD's starts at
the same time, coming from broad range of valid non-spoofed source IP
addresses. Content of UDP packets belonging to this traffic doesn't seem to
have any identical pattern.

Any ideas are highly appreciated.
Thank you!

Pavel Zeleny



iptables -A INPUT -p udp --dport 53 -m hashlimit \
   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

So, every prefix (length 28) can send 20 r/s with allowed bursts of
100. This requires a Netfilter >= 1.4 (recent options of module hashlimit).


--
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark () netwolves com
http://www.netwolves.com
Previous By Date Next
Previous By Thread Next

Current thread: