On 8/3/2014 7:36 AM, Ruud Baart wrote: > Tom, > > It is now nearly two month later and I can safely conclude that blocking > the DNS cache queries works for our servers. I takes a lot of load from > our DNS servers. > > Because the shorewall rule to block this attack is so effective and > because I think we are not the only ones that are severely attacked > would it be an idea to make this rule a documented and maintained part > of Shorewall? If so a below a start of documenting this rule. Perhaps > other people can help and make it a well documented part of Shorewall.
Good idea. > 4. Part of the rule is --hex-string "|01000001|". This works but is > most likely not precise enough. There is no guarantee that only the > queries with recursion desired flags are blocked. There must be a > way to block the packets more precisely. Perhaps with the iptables > options "-m u32 --u32"? I'm not capable of writing such a rule. Have you looked at http://www.stearns.org/doc/iptables-u32.current.html? The 'Checking for values in the UDP payload' section already shows you how to check for DNS queries using "-m u32 --u32 ..." -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
