[BlueOnyx:12569] Re: DNS Spamming

[Gerald Waugh]

On 03/18/2013 02:10 PM, Will Nordmeyer, WnA Consulting Services wrote:
> On Mon, 18 Mar 2013 12:33:03 -0500, Gerald Waugh
> <gwaugh at frontstreetnetworks.com> wrote:
>> On 03/18/2013 06:00 AM, Will Nordmeyer wrote:
>>> Last night (actually over the past few days), my server has been
>>> hammered with DNS requests (to the tune of about 5 Mb/sec bandwidth, 6
>>> IPs, 10-20 connections, thousands of requests)... Is there a way for
>>> bfd/apf or another tool to monitor for this and add the offending
>>> servers to either deny_hosts.rules or iptables?
>>>
>>>
>> /sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 53 -m state
>> --state NEW -m recent --set --name DNS --rsource
>>
>> /sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 53 -m state
>> --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name
>> DNS --rsource -j LOG --log-prefix "Block DNS port 53 Attack "
>>
>> /sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 53 -m state
>> --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name
>> DNS --rsource -j DROP
> Gerald,
>
> Just to confirm - the first line sets up a counter, the second line
> logs a DNS attack after 10 hits in 60 seconds and the 3rd one drops
> further DNS queries from that annoying site?
>
Correct
You can adjust times and hitcount, I use this for all the open ports
changing dport as necessary

You will see many entries in /var/log/iptables, but only the hitcount 
number of entries in the regular log files.
Need to setup rsyslog to log to iptables

/etc/rsyslog.conf added the rule in bold
do a service rsyslog restart

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

*kern.warning /var/log/iptables*

-- 
Gerald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130318/fc7a5ce9/attachment.html>