[dns-operations] "NS .", the attack of the month?

Noel Butler noel.butler at ausics.net
Sat Jan 24 23:11:43 UTC 2009

On Sun, 2009-01-25 at 08:45, Stephane Bortzmeyer wrote:

> On Sun, Jan 25, 2009 at 08:39:27AM +1000,
>  Noel Butler <noel.butler at ausics.net> wrote 
>  a message of 65 lines which said:
> > iptables -A INPUT -p udp --dport 53 -m u32 --u32
> > "0>>22&0x3C at 12>>16=1&&0>>22&0x3C at 20>>24=0&&0>>22&0x3C at 21=0x00020001" -j 
> > DROP
> Cute :-) I hesitate to deploy a trick that I have trouble to
> verify. Isn't it better to just follow the recommendations in
> <https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful>?

No, that advice is outright wrong! Contributing to the DDoS, (although
we should have all be doing it anyway in general) because you are
sending the REFUSED pkt back to the victim, so they are essentially
telling you how to participate in the DDoS.

extract " Then, a query such as ". IN NS" should result in a REFUSED

It's also no longer just ISPrime thats the victim, I am seeing other
targets for past 24 hours.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090125/63576dc3/attachment.html>

More information about the dns-operations mailing list