[BlueOnyx:12655] Re: DNS Spamming

[Richard Morgan]

I found the three iptables commands worked when I switched it to UDP:

/sbin/iptables -A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state 
NEW -m recent --set --name DNS --rsource

/sbin/iptables -A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state 
NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name 
DNS --rsource -j LOG --log-prefix "Block DNS port UDP 53 Attack "

/sbin/iptables -A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state 
NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name 
DNS --rsource -j DROP

I didn't bother with the middle rule that logs the activity - it put quite a 
load on the server.

I also installed iptraf (yum install iptraf) and used it to see in outgoing 
traffic settle down on port 53.

Richard



----- Original Message ----- 
From: "Colin Jack" <colin at mainline.co.uk>
To: "BlueOnyx General Mailing List" <blueonyx at mail.blueonyx.it>
Sent: Friday, March 29, 2013 7:21 PM
Subject: [BlueOnyx:12651] Re: DNS Spamming


> Hi Michael,
>
>>
>> Yeah, that's probably a good idea. I'll look into it see what can be
>> done. The other idea about separating cache and recursion and
>> pre-populating "locahost" and "localnet" also makes sense. I haven't yet
>> wrapped my mind fully around it and will need to check the Bind
>> documentation again.
>>
>
> Also maybe grouping and renaming the controls/boxes so that it is more 
> obvious?
>
> I tried the suggested iptables addition to limit the number of queries but 
> it didn't work! Syntax error.
> Something else that may be worth putting into the default template or even 
> into the GUI?
>
> Hope you are keeping well.
>
> Regards
>
> Colin
>
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx