Hello, someone suggest I ask in here.

From the log:

16-Jan-2009 19:42:17.105 queries: info: client 69.50.137.175#49046: query: . IN NS + 16-Jan-2009 19:42:17.215 queries: info: client 69.50.137.175#1521: query: . IN NS + 16-Jan-2009 19:42:18.495 queries: info: client 69.50.137.175#1007: query: . IN NS + 16-Jan-2009 19:42:18.599 queries: info: client 69.50.137.175#27729: query: . IN NS + 16-Jan-2009 19:42:19.150 queries: info: client 69.50.137.175#46079: query: . IN NS + 16-Jan-2009 19:42:21.168 queries: info: client 69.50.137.175#47562: query: . IN NS + 16-Jan-2009 19:42:21.336 queries: info: client 69.50.137.175#16400: query: . IN NS +


I understand the the idea of this is that multiple nameservers, including mine, respond to the spoofed ip address.

As a temporary measure I have blocked the target's /20 ip addresses for udp for port 53 in my router (blocked seems to mean drop as far as I can tell from the logs).

I have also tried a more generic iptables solution but I am worried that this might have adverse affects in legitimate queries, such as from ny secondaries:

iptables -I INPUT -p udp --dport 53 -i eth0 -s ! 81.187.211.32/28 -m state --state NEW -m recent \
   --set

iptables -I INPUT -p udp --dport 53 -i eth0 -s ! 81.187.211.32/28 -m state --state NEW -m recent \
   --update --seconds 60 --hitcount 20 -j DROP


I tried it with a it count of 30 and that stopped it working and I don't know why.

I should be be grateful for any advice here because, I understand, I could be regarded as attacking 69.50.137.175.


--
Alan

( If replying by mail, please note that all "sardines" are canned.
  However, unless this a very old message, a "tuna" will swim right
  through. )

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to