[BlueOnyx:05357] Re: New DFix release

Greg Kuhnert gkuhnert at compassnetworks.com.au
Tue Sep 7 23:48:26 -05 2010 

  The traffic you have shown me is identical to attack traffic. The only 
difference, is that this traffic is hitting you because of an 
incorrectly configured DNS registry entry. The easy solution: Configure 
some DNS entries for the domain... and point them to say google or 
better still, send them to a web site advertising your company!

Moving forward, I have been working on a total re-write of dfix. The 
newer version will be more granular, with the ability to enable or 
disable individual rules, or to fine tune thresholds for individual 
rules without impacting other settings.

The new version will run as a daemon constantly monitoring, so there 
will be no more cron jobs executing every minute. Blocks will happen as 
soon as a threshold is breached, providing faster more immediate protection.

The number of signatures has more than doubled since the current 
version, and "badguys" are blocked much faster as a result of more input 
data.

Equally important is the improved auto whitelist system. Once a user 
authenticates to your server, they will be immune for a pre configured 
duration (say 24 hours).

Stay tuned for more news soon.

Regards,
Greg.

On 8/09/2010 2:04 PM, Abdul Rashid Abdullah wrote:
> I don't own them.
>
>
> On 9/7/10 6:44 PM, "Greg Kuhnert"<gkuhnert at compassnetworks.com.au>  wrote:
>
>>    My advice to you would be to go back to the domain registrar and
>> update the NS records. There is no way I can differentiate between this
>> behaviour and a dns based ddos attempt.
>>
>> Its bad form to leave them pointing to your server if you dont host the
>> domain. Why not convert it to a "parked" domain or something...
>>
>> Regards,
>> Greg.
>>
>> On 7/09/2010 10:03 PM, Abdul Rashid Abdullah wrote:
>>> Greg,
>>>
>>> For feedback purposes only, I would like to say after updating to this
>>> version, I am getting many messages similar to the following:
>>>
>>> Warning: Blocking 78.31.111.10
>>> Sep  7 07:53:19 baraka named[6886]: client 78.31.111.10#39576: query (cache)
>>> 'auntiealoha.com/MX/IN' denied
>>> Sep  7 07:53:19 baraka named[6886]: client 78.31.111.10#27275: query (cache)
>>> 'auntiealoha.com/MX/IN' denied
>>> Sep  7 07:53:19 baraka named[6886]: client 78.31.111.10#19183: query (cache)
>>> 'auntiealoha.com/MX/IN' denied
>>> Sep  7 07:53:19 baraka named[6886]: client 78.31.111.10#60083: query (cache)
>>> 'auntiealoha.com/MX/IN' denied
>>> Sep  7 07:53:30 baraka named[6886]: client 78.31.111.10#12462: query (cache)
>>> 'auntiealoha.com/MX/IN' denied
>>>
>>> All of the domains this is coming up for are domains I nor anyone else are
>>> no longer hosting.  However, the domains are still registered and pointed to
>>> me.  Basically, these are organization/companies that folded.  So someone is
>>> trying to see if there is still anything out there for them.
>>>
>>> Regards,
>>>
>>> Rashid
>>>
>>>
>>> On 9/4/10 5:33 PM, "Greg Kuhnert"<gkuhnert at compassnetworks.com.au>   wrote:
>>>
>>>>     I've mentioned recently a type of attack I have seen that uses spoofed
>>>> DNS packets. From all reports, it appears I am the only one around here
>>>> that has been hit. However, I have still decided to put the detection of
>>>> this attack as a new feature in DFix.
>>>>
>>>> At the same time, I have done a cleanup of the block/unblock code. Its
>>>> now a lot cleaner. I have also changed the action from "reject" to
>>>> "block" as the action when an attack is detected.
>>>>
>>>> Enjoy.
>>> _______________________________________________
>>> Blueonyx mailing list
>>> Blueonyx at blueonyx.it
>>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx


-- 
+---------------------------------------------------------------------+
|   / \   Greg Kuhnert, gkuhnert at compassnetworks.com.au               |
|<   o>  Compass Networks - Pointing you in the right direction      |
|   \ /   Come see us for BlueQuartz / BlueOnyx modules&  Support.    |
+---------------------------------------------------------------------+

More information about the Blueonyx mailing list