[dns-operations] New subscribers
Jeff Taylor
shdwdrgn at sourpuss.net
Sat Jan 15 21:37:50 UTC 2011
That's something I had not thought to check. I just did a quick scan of
the logs from the last two days for anything matching the query "isc.org
IN ANY" and found that every last one of them are coming in on port
25345. That certainly seems to rule out any legitimate (albeit
excessive) testing of the services.
Sorry I forgot about this thread for a few days, however myself and at
least one other person are seeing continued large amounts of traffic
running this query. I wrote up a very simple BASH script which monitors
my bind log and adds rules to iptables to block the offender, then
removes the IP in 10 minutes and waits for a repeat offense. It seems
to be working great as I never see more than 5 IP's blocked at any time,
although I should modify the iptables rule to only block port 53 (I
can't tell if this is coming from spoofed IPs, or a botnet of some sort).
The thing that confuses me is the constant fluctuations in the traffic.
There is no steady stream of queries coming in, no obvious cycles in
activity through the day. I would think if this were an automated
attack of some sort, the barrage would be constant?
On 01/11/2011 08:41 AM, Michael Graff wrote:
>
> One report we've received here at ISC is that all the source ports are
> identical. Is this the case for you as well?
>
> - --Michael
>
>
More information about the dns-operations
mailing list