[dns-operations] "NS .", the attack of the month?
Jelte Jansen
jelte at NLnetLabs.nl
Sat Jan 24 23:44:56 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephane Bortzmeyer wrote:
>
> At least dnscap is great to watch it:
>
> sudo dnscap -i eth0 -w isprime-attack -g -s i -x '^\.$'
>
> Any way with dnscap to restrict the QTYPE of the query?
(shameless plug warning)
i don't know about dnscap, but ldns-dpa can:
~> sudo tcpdump port 53 -w - | ldns-dpa -f 'qtype=NS&qr=0' -sf | grep From:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
;; From: 206.71.158.30
;; From: 206.71.158.30
;; From: 206.71.158.30
;; From: 206.71.158.30
;; From: 206.71.158.30
I'm getting them a lot too, here at home...
remind me to add a sigkill catcher that calls the statistics calculator
Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkl7p/gACgkQ4nZCKsdOncXqEgCgq3GDHfEhRqhvWagU6hc9zCWO
WkwAoNNeq9i7tYaNF7WVkZmFCfHj4/yi
=qzrI
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list