[BlueOnyx:05355] Re: New DFix release

Greg Kuhnert gkuhnert at compassnetworks.com.au
Tue Sep 7 17:44:13 -05 2010 

  My advice to you would be to go back to the domain registrar and 
update the NS records. There is no way I can differentiate between this 
behaviour and a dns based ddos attempt.

Its bad form to leave them pointing to your server if you dont host the 
domain. Why not convert it to a "parked" domain or something...

Regards,
Greg.

On 7/09/2010 10:03 PM, Abdul Rashid Abdullah wrote:
> Greg,
>
> For feedback purposes only, I would like to say after updating to this
> version, I am getting many messages similar to the following:
>
> Warning: Blocking 78.31.111.10
> Sep  7 07:53:19 baraka named[6886]: client 78.31.111.10#39576: query (cache)
> 'auntiealoha.com/MX/IN' denied
> Sep  7 07:53:19 baraka named[6886]: client 78.31.111.10#27275: query (cache)
> 'auntiealoha.com/MX/IN' denied
> Sep  7 07:53:19 baraka named[6886]: client 78.31.111.10#19183: query (cache)
> 'auntiealoha.com/MX/IN' denied
> Sep  7 07:53:19 baraka named[6886]: client 78.31.111.10#60083: query (cache)
> 'auntiealoha.com/MX/IN' denied
> Sep  7 07:53:30 baraka named[6886]: client 78.31.111.10#12462: query (cache)
> 'auntiealoha.com/MX/IN' denied
>
> All of the domains this is coming up for are domains I nor anyone else are
> no longer hosting.  However, the domains are still registered and pointed to
> me.  Basically, these are organization/companies that folded.  So someone is
> trying to see if there is still anything out there for them.
>
> Regards,
>
> Rashid
>
>
> On 9/4/10 5:33 PM, "Greg Kuhnert"<gkuhnert at compassnetworks.com.au>  wrote:
>
>>    I've mentioned recently a type of attack I have seen that uses spoofed
>> DNS packets. From all reports, it appears I am the only one around here
>> that has been hit. However, I have still decided to put the detection of
>> this attack as a new feature in DFix.
>>
>> At the same time, I have done a cleanup of the block/unblock code. Its
>> now a lot cleaner. I have also changed the action from "reject" to
>> "block" as the action when an attack is detected.
>>
>> Enjoy.
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx


-- 
+---------------------------------------------------------------------+
|   / \   Greg Kuhnert, gkuhnert at compassnetworks.com.au               |
|<   o>  Compass Networks - Pointing you in the right direction      |
|   \ /   Come see us for BlueQuartz / BlueOnyx modules&  Support.    |
+---------------------------------------------------------------------+

More information about the Blueonyx mailing list