Re: New type of DDoS? Anyone saw it?

2016-05-16 Thread Marek Królikowski
Hello, I was thinking to block only client who do attacks something like this: /sbin/iptables --insert INPUT -s IP-ADDRESS-CLIENT-WHO-ATTACK -p udp --dport 53 -m string --from 40 --to 80 --algo bm --hex-string '|somethinghere|' -j DROP -m comment --comment "DROP DNS DDoS" Anyone know how

RE: New type of DDoS? Anyone saw it?

2016-05-16 Thread Marek Królikowski
o:bert.hub...@netherlabs.nl] Sent: Monday, May 16, 2016 5:45 PM To: Marek Królikowski Cc: bind-users@lists.isc.org Subject: Re: New type of DDoS? Anyone saw it? On Mon, May 16, 2016 at 05:03:01PM +0200, Marek Królikowski wrote: > Today i saw my bind eat almost 90% of RAM when i chec

New type of DDoS? Anyone saw it?

2016-05-16 Thread Marek Królikowski
Hello, Today i saw my bind eat almost 90% of RAM when i check logs I find interesting DDoS on my DNS Cluster today: 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: 323.016.231.212 IN + (8X.1X0.Y.Y) 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: slip response to 8X.1X0.33.0/24 f