[dns-operations] Blocking DNS clients without authentifying them (Was: New subscribers

Jeff Taylor shdwdrgn at sourpuss.net
Tue Jan 18 17:48:32 UTC 2011

Actually I think the changes I made to my script yesterday resolve that 
problem.  It was noted that all of the offending queries always use the same 
source-port, so I modified my script to only react on that port.  I also changed 
the iptables rule to only block UDP on that source-port.  The way it works now, 
any legitimate users from the blocked IP will still be able to perform normal 
queries, except for the random chance of one query hitting that blocked port.

I think the only way I can make this any tighter would be to capture one of the 
offending packets and write a specific iptables rule to just block by content (I 
know its possible, I just don't know how).

I still don't really understand the purpose of this attack.  Are they trying to 
ddos isc.org?  Surely they're not trying to shut down my server?  Either way, it 
seems like a losing battle on their part.

On 01/18/2011 01:01 AM, Stephane Bortzmeyer wrote:
> On Sat, Jan 15, 2011 at 02:37:50PM -0700,
>   Jeff Taylor<shdwdrgn at sourpuss.net>  wrote
>   a message of 33 lines which said:
>> I wrote up a very simple BASH script which monitors my bind log and
>> adds rules to iptables to block the offender, then removes the IP in
>> 10 minutes and waits for a repeat offense. [...] (I can't tell if
>> this is coming from spoofed IPs, or a botnet of some sort).
> Indeed. There is a huge risk of DoS with your script, I could generate
> spoofed DNS/UDP requests sent to you and claiming to come from .COM
> name servers and your script would block Verisign...

More information about the dns-operations mailing list