* How to block a DNS DoS attack?
@ 2006-12-02 20:56 Eduardo Fernández
2006-12-03 15:26 ` Martijn Lievaart
2006-12-03 21:34 ` Elvir Kuric
0 siblings, 2 replies; 4+ messages in thread
From: Eduardo Fernández @ 2006-12-02 20:56 UTC (permalink / raw)
To: Netfilter Mailing List
Hi!
Some computers in my network are flooding the dns server with mx
queries generated by some virus, at a rate of 2/second or so. I can't
use the string match as suggested before because of my kernel version.
I can't forbid MX queries in the server because there could be valid
queries, so the only way to match the virus is the speed or number of
queries. I've tried the following to match only the virus but not the
normal clients (people surfing the web mainly):
iptables -A INPUT -p udp -d server_ip --dport 53 -m limit --limit
40/minute --limit-burst 2000 -j ACCEPT
But it doesn't work. Any ideas?
Thanks a bunch!
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How to block a DNS DoS attack?
2006-12-02 20:56 How to block a DNS DoS attack? Eduardo Fernández
@ 2006-12-03 15:26 ` Martijn Lievaart
2006-12-03 21:34 ` Elvir Kuric
1 sibling, 0 replies; 4+ messages in thread
From: Martijn Lievaart @ 2006-12-03 15:26 UTC (permalink / raw)
To: Eduardo Fernández; +Cc: Netfilter Mailing List
Eduardo Fernández wrote:
> Hi!
>
> Some computers in my network are flooding the dns server with mx
> queries generated by some virus, at a rate of 2/second or so. I can't
> use the string match as suggested before because of my kernel version.
> I can't forbid MX queries in the server because there could be valid
> queries, so the only way to match the virus is the speed or number of
> queries. I've tried the following to match only the virus but not the
> normal clients (people surfing the web mainly):
>
> iptables -A INPUT -p udp -d server_ip --dport 53 -m limit --limit
> 40/minute --limit-burst 2000 -j ACCEPT
>
> But it doesn't work. Any ideas?
I don't know why this doesn't work, but I would probably take a whole
different route. As you say you could have matched with the string
match, you can write a tcpdump capture expression for those packets.
Feed the output to a short script that extracts the IP address and adds
a rule to deny any traffic to that IP address. This has the added
advantage that it breaks functionality on the client, so people will
complain. This makes it easier to spot the infected machiens. And maybe
slow the rate of spreading, who knows.
If those addresses are assigned by DHCP, make sure to clear the blocks
occasionally. Any (still) infected machine will simply readd itself in
no time.
Obviously, you hav to make sure that you add an address only once. This
also means that adding and deleting IPAs should probably coordinated
with a lock, though you may get away without.
Something along these lines (untested):
# iptables -N VDROP
# iptables -I INPUT -j VDROP
# mkdir /var/state/sumtin
# tcpdump -n -i <intf> <filter> | sed -P
's/^.*(\d+\.\d+\.\d+\.\d+).*/\1/' | while read ip; do
> if [ ! -f /var/state/sumtin/$ip ]; then touch /var/state/sumtin/$ip;
iptables -A VDROP -s $ip; fi
> done
(The ipset match is better suited for this, but if you don't have
string, you probably don't have ipset.)
BTW, you probably get better results with the limit match if you use a
shorter time and a lower limit.
HTH,
M4
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How to block a DNS DoS attack?
2006-12-02 20:56 How to block a DNS DoS attack? Eduardo Fernández
2006-12-03 15:26 ` Martijn Lievaart
@ 2006-12-03 21:34 ` Elvir Kuric
1 sibling, 0 replies; 4+ messages in thread
From: Elvir Kuric @ 2006-12-03 21:34 UTC (permalink / raw)
To: Eduardo =?unknown-8bit?q?Fern=E1ndez?=, Netfilter Mailing List
Hi Eduardo,
I suggest you to check link below
http://www-128.ibm.com/developerworks/linux/library/l-fw/?n-l-4191
Hope this helps.
Regards
Elvir Kuric
--- Eduardo Fernández <eduardo@cmusanjuan.com> wrote:
> Hi!
>
> Some computers in my network are flooding the dns
> server with mx
> queries generated by some virus, at a rate of
> 2/second or so. I can't
> use the string match as suggested before because of
> my kernel version.
> I can't forbid MX queries in the server because
> there could be valid
> queries, so the only way to match the virus is the
> speed or number of
> queries. I've tried the following to match only the
> virus but not the
> normal clients (people surfing the web mainly):
>
> iptables -A INPUT -p udp -d server_ip --dport 53 -m
> limit --limit
> 40/minute --limit-burst 2000 -j ACCEPT
>
> But it doesn't work. Any ideas?
>
> Thanks a bunch!
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How to block a DNS DoS attack?
[not found] <200612041423.kB4EN2Xu000536@mail3.jubileegroup.co.uk>
@ 2006-12-04 15:09 ` G.W. Haywood
0 siblings, 0 replies; 4+ messages in thread
From: G.W. Haywood @ 2006-12-04 15:09 UTC (permalink / raw)
To: netfilter
Hi there,
On Mon, 4 Dec 2006 Eduardo Fern?ndez wrote:
> Some computers in my network are flooding the dns server with mx
> queries generated by some virus, at a rate of 2/second or so. I can't
It is your network? Disconnect the offending computers from the
network and tell their users that they must remove the virus(es)
before they will be reconnected.
--
73,
Ged.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-12-04 15:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-02 20:56 How to block a DNS DoS attack? Eduardo Fernández
2006-12-03 15:26 ` Martijn Lievaart
2006-12-03 21:34 ` Elvir Kuric
[not found] <200612041423.kB4EN2Xu000536@mail3.jubileegroup.co.uk>
2006-12-04 15:09 ` G.W. Haywood
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox