[BlueOnyx:12568] Re: DNS Spamming
Will Nordmeyer, WnA Consulting Services
will at wnahosting.com
Mon Mar 18 14:10:27 -05 2013
On Mon, 18 Mar 2013 12:33:03 -0500, Gerald Waugh
<gwaugh at frontstreetnetworks.com> wrote:
> On 03/18/2013 06:00 AM, Will Nordmeyer wrote:
>>
>> Last night (actually over the past few days), my server has been
>> hammered with DNS requests (to the tune of about 5 Mb/sec bandwidth, 6
>> IPs, 10-20 connections, thousands of requests)... Is there a way for
>> bfd/apf or another tool to monitor for this and add the offending
>> servers to either deny_hosts.rules or iptables?
>>
>>
> /sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 53 -m state
> --state NEW -m recent --set --name DNS --rsource
>
> /sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 53 -m state
> --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name
> DNS --rsource -j LOG --log-prefix "Block DNS port 53 Attack "
>
> /sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 53 -m state
> --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name
> DNS --rsource -j DROP
Gerald,
Just to confirm - the first line sets up a counter, the second line
logs a DNS attack after 10 hits in 60 seconds and the 3rd one drops
further DNS queries from that annoying site?
More information about the Blueonyx
mailing list