[dns-operations] "NS .", the attack of the month?
Noel Butler
noel.butler at ausics.net
Sat Jan 24 22:39:27 UTC 2009
On Sun, 2009-01-25 at 08:05, Stephane Bortzmeyer wrote:
> It is still trendy, apparently. As I watch one recursive name server
> (but I see nothing on many others), I see a 2-3 p/s "NS ." queries
> claiming to come from 206.71.158.30 and even from 66.230.160.1
> (pretending ISPrime).
>
> Still no perfect solution for it?
>
> At least dnscap is great to watch it:
>
> sudo dnscap -i eth0 -w isprime-attack -g -s i -x '^\.$'
>
> Any way with dnscap to restrict the QTYPE of the query?
You'll get them but to stop being apart of the problem use, using linux:
iptables -A INPUT -p udp --dport 53 -m u32 --u32
"0>>22&0x3C at 12>>16=1&&0>>22&0x3C at 20>>24=0&&0>>22&0x3C at 21=0x00020001" -j
DROP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090125/501f0c2c/attachment.html>
More information about the dns-operations
mailing list