[dns-operations] "NS .", the attack of the month?

Noel Butler noel.butler at ausics.net
Sat Jan 24 22:39:27 UTC 2009

On Sun, 2009-01-25 at 08:05, Stephane Bortzmeyer wrote:

> It is still trendy, apparently. As I watch one recursive name server
> (but I see nothing on many others), I see a 2-3 p/s "NS ." queries
> claiming to come from and even from
> (pretending ISPrime).
> Still no perfect solution for it?
> At least dnscap is great to watch it:
> sudo dnscap -i eth0 -w isprime-attack -g -s i -x '^\.$'
> Any way with dnscap to restrict the QTYPE of the query?

You'll get them but to stop being apart of the problem use, using linux:
iptables -A INPUT -p udp --dport 53 -m u32 --u32
"0>>22&0x3C at 12>>16=1&&0>>22&0x3C at 20>>24=0&&0>>22&0x3C at 21=0x00020001" -j 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090125/501f0c2c/attachment.html>

More information about the dns-operations mailing list