[dns-operations] "NS .", the attack of the month?

Noel Butler noel.butler at ausics.net
Sat Jan 24 22:39:27 UTC 2009


On Sun, 2009-01-25 at 08:05, Stephane Bortzmeyer wrote:

> It is still trendy, apparently. As I watch one recursive name server
> (but I see nothing on many others), I see a 2-3 p/s "NS ." queries
> claiming to come from 206.71.158.30 and even from 66.230.160.1
> (pretending ISPrime).
> 
> Still no perfect solution for it?
> 
> At least dnscap is great to watch it:
> 
> sudo dnscap -i eth0 -w isprime-attack -g -s i -x '^\.$'
> 
> Any way with dnscap to restrict the QTYPE of the query?


You'll get them but to stop being apart of the problem use, using linux:
                                                                                
iptables -A INPUT -p udp --dport 53 -m u32 --u32
"0>>22&0x3C at 12>>16=1&&0>>22&0x3C at 20>>24=0&&0>>22&0x3C at 21=0x00020001" -j 
DROP


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090125/501f0c2c/attachment.html>


More information about the dns-operations mailing list