[169321] in North American Network Operators' Group
Re: random dns queries with random sources
daemon@ATHENA.MIT.EDU (Steve Clark)
Thu Feb 20 20:18:15 2014
Date: Thu, 20 Feb 2014 13:08:05 -0500
From: Steve Clark <sclark@netwolves.com>
To: Pavel Zeleny <pgreen@seznam.cz>
In-Reply-To: <loom.20140220T144607-558@post.gmane.org>
X-Securence-RFC2821-MAIL-FROM: sclark@netwolves.com
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 02/20/2014 08:57 AM, Pavel Zeleny wrote:
> Masataka Ohta <mohta <at> necom830.hpcl.titech.ac.jp> writes:
>
>> Joe Maimon wrote:
>>
>>> What is the purpose of this?
> ...
>> Masataka Ohta
>>
> Hi guys,
> for a second, have you any clue how to block this traffic on DNS server
> side? As our company operates recursive resolvers for our customers, we can
> see this weird traffic concentrated in our logs. It started Feb 3 about
> 16:30 (GMT/UTC+1). Very large amount of DNS A queries are sent from source
> IP addresses of our customers, and they always looks like
> [randomjunk].SLD.com. We have seen 143 this SLD's so far, and we had to
> block it manually one by one.
> We suspect some kind of botnet, because attack wave with new SLD's starts at
> the same time, coming from broad range of valid non-spoofed source IP
> addresses. Content of UDP packets belonging to this traffic doesn't seem to
> have any identical pattern.
>
> Any ideas are highly appreciated.
> Thank you!
>
> Pavel Zeleny
>
>
iptables -A INPUT -p udp --dport 53 -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
So, every prefix (length 28) can send 20 r/s with allowed bursts of
100. This requires a Netfilter >= 1.4 (recent options of module hashlimit).
--
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark@netwolves.com
http://www.netwolves.com
