nanog mailing list archives
Re: random dns queries with random sources
From: Steve Clark <sclark () netwolves com>
Date: Thu, 20 Feb 2014 13:08:05 -0500
On 02/20/2014 08:57 AM, Pavel Zeleny wrote:
Masataka Ohta <mohta <at> necom830.hpcl.titech.ac.jp> writes:Joe Maimon wrote:What is the purpose of this?...Masataka OhtaHi guys, for a second, have you any clue how to block this traffic on DNS server side? As our company operates recursive resolvers for our customers, we can see this weird traffic concentrated in our logs. It started Feb 3 about 16:30 (GMT/UTC+1). Very large amount of DNS A queries are sent from source IP addresses of our customers, and they always looks like [randomjunk].SLD.com. We have seen 143 this SLD's so far, and we had to block it manually one by one. We suspect some kind of botnet, because attack wave with new SLD's starts at the same time, coming from broad range of valid non-spoofed source IP addresses. Content of UDP packets belonging to this traffic doesn't seem to have any identical pattern. Any ideas are highly appreciated. Thank you! Pavel Zeleny
iptables -A INPUT -p udp --dport 53 -m hashlimit \ --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \ --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP So, every prefix (length 28) can send 20 r/s with allowed bursts of 100. This requires a Netfilter >= 1.4 (recent options of module hashlimit). -- Stephen Clark *NetWolves* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark () netwolves com http://www.netwolves.com
Current thread:
- Re: random dns queries with random sources, (continued)
- Re: random dns queries with random sources Joe Maimon (Feb 18)
- RE: random dns queries with random sources Beeman, Davis (Feb 19)
- Re: random dns queries with random sources Dobbins, Roland (Feb 19)
- Re: random dns queries with random sources Simon Perreault (Feb 19)
- Re: random dns queries with random sources Tempest (Feb 19)
- Re: random dns queries with random sources Dobbins, Roland (Feb 19)
- Re: random dns queries with random sources Joe Maimon (Feb 19)
- RE: random dns queries with random sources Beeman, Davis (Feb 19)
- random dns queries with random sources Dale Rumph (Feb 19)
- Re: random dns queries with random sources Masataka Ohta (Feb 19)
- Re: random dns queries with random sources Pavel Zeleny (Feb 20)
- Re: random dns queries with random sources Steve Clark (Feb 20)
- Re: random dns queries with random sources Pavel Zeleny (Feb 20)