Friday, October 18, 2013



If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x064b5241 && 0x2c&0xDFDFDFFF=0x53544902 && 0x30&0xDFDFFF00=0x55530000" -j DROP -m comment --comment "DROP DNS Q"

More U32 rules can be found here:

iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|066b726173746902757300|' -j DROP -m comment --comment "DROP DNS Q"
More Iptables rules for the STRING module can be found here:



Name server:


;; ADDITIONAL SECTION: 8556 IN A 8556 IN AAAA 2607:f208:206::2a 8556 IN A 8556 IN AAAA 2607:f208:302::2a


A 2
MX 30
NS 2
Rsize 4886

The response it self is noteworthy:

;; ANSWER SECTION:              3600    IN      SOA 2013101709 28800 7200 604800 600              589     IN      A              3589    IN      NS              3589    IN      NS              604800  IN      TXT     "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasssdasdassdasdassdasdas                 sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533                  > sdasd" "assdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassda                 sdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533 > sdasdassdasd" "assdasdassdasdassdasdassdas                 dassdasdassdasdassdaasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas                 dassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533 > sdasdassdasdassda" "sdassdasdassdasdassdasdassdasdassdassdasdassdasdassdasdassdasdass                 dasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas55                 33 > sdasdassdasdassdasdassdasdassdasdassd" "asda"              604800  IN      MX      26                     604800  IN      MX      26                     604800  IN      MX      28                     604800  IN      MX      28                     604800  IN      MX      28                     604800  IN      MX      29                     604800  IN      MX      29                     604800  IN      MX      30                     604800  IN      MX      30                     604800  IN      MX      30                     604800  IN      MX      32                     604800  IN      MX      32                     604800  IN      MX      32                     604800  IN      MX      10                     604800  IN      MX      10                     604800  IN      MX      10                     604800  IN      MX      10                     604800  IN      MX      21                     604800  IN      MX      21                     604800  IN      MX      21                     604800  IN      MX      22                     604800  IN      MX      22                     604800  IN      MX      22                     604800  IN      MX      23                     604800  IN      MX      23                     604800  IN      MX      23                     604800  IN      MX      24                     604800  IN      MX      24                     604800  IN      MX      24                     604800  IN      MX      26                     86389   IN      RRSIG   NSEC 5 2 86400 20131117021009 20131018011009 24075 US. Vlhl+ElSyzbwVU3MM+u1u0bGJqoOF05SaoCvO2A4oMYq9                 tt3IbAQUUNv u5+QVWtuiijylhFNIFMEBbVNsyfbGgGbA+2OhtrOKf2kyh5GWH9Hlb32 +sSn6cxvRPoVBPdwjIJhknriy0o1ignfsEPj74mBLPsCobdH7YISdywc l/A=              86389   IN      NSEC NS RRSIG NSEC


Domain Name: KRASTI.US
Domain ID: D42540828-US
Sponsoring Registrar: GODADDY.COM, INC.
Sponsoring Registrar IANA ID: 146
Registrar URL (registration services):
Domain Status: clientDeleteProhibited
Domain Status: clientRenewProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registrant ID: CR152951749
Registrant Name: Ivan Kudashev
Registrant Address1: gorod rostov, sprosit' evgenya
Registrant Address2: marchenko is ddog-guarda
Registrant City: Rostov
Registrant Postal Code: 531189
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +7.9651765432
Registrant Email:
Registrant Application Purpose: P3
Registrant Nexus Category: C11
Administrative Contact ID: CR152951751
Administrative Contact Name: Ivan Kudashev
Administrative Contact Address1: gorod rostov, sprosit' evgenya
Administrative Contact Address2: marchenko is ddog-guarda
Administrative Contact City: Rostov
Administrative Contact Postal Code: 531189
Administrative Contact Country: Russian Federation
Administrative Contact Country Code: RU
Administrative Contact Phone Number: +7.9651765432
Administrative Contact Email:
Administrative Application Purpose: P3
Administrative Nexus Category: C11
Billing Contact ID: CR152951752
Billing Contact Name: Ivan Kudashev
Billing Contact Address1: gorod rostov, sprosit' evgenya
Billing Contact Address2: marchenko is ddog-guarda
Billing Contact City: Rostov
Billing Contact Postal Code: 531189
Billing Contact Country: Russian Federation
Billing Contact Country Code: RU
Billing Contact Phone Number: +7.9651765432
Billing Contact Email:
Billing Application Purpose: P3
Billing Nexus Category: C11
Technical Contact ID: CR152951750
Technical Contact Name: Ivan Kudashev
Technical Contact Address1: gorod rostov, sprosit' evgenya
Technical Contact Address2: marchenko is ddog-guarda
Technical Contact City: Rostov
Technical Contact Postal Code: 531189
Technical Contact Country: Russian Federation
Technical Contact Country Code: RU
Technical Contact Phone Number: +7.9651765432
Technical Contact Email:
Technical Application Purpose: P3
Technical Nexus Category: C11
Created by Registrar: GODADDY.COM, INC.
Last Updated by Registrar: GODADDY.COM, INC.
Domain Registration Date: Fri Oct 18 02:09:40 GMT 2013
Domain Expiration Date: Fri Oct 17 23:59:59 GMT 2014
Domain Last Updated Date: Fri Oct 18 02:09:40 GMT 2013

>>>> Whois database was last updated on: Sat Oct 19 00:15:16 GMT 2013 <<<<

All domain names are subject to certain additional domain name registration
rules. For details, please visit our site at


  1. Thank you for your dns-iptables-rules contribution in GitHub. I downloaded your string iptables script to defend these attacks, and it seems works well. However, the attacks directed to the domain,, are not filtered by my linux box. I checked this line

    iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|066b726173746902757300|' -j DROP -m comment --comment "DROP DNS Q"

    but it seems to be without any problem, but attacks stills be there, and my system log also records these attacks to (but attacks to other domains are all filtered by iptables)

    Some system logs look like the following:
    Nov 15 10:49:29 mylinuxbox named[22751]: client query (cache) '' denied
    Nov 15 10:49:29 mylinuxbox last message repeated 14 times
    Nov 15 10:49:30 mylinuxbox named[22751]: client query (cache) '' denied

    Juster wonder why the attacks to are not filtered by iptables.
    Many thanks to your help.

  2. iptables --insert INPUT -p udp --dport 53 -m string --from 36 --to 51 --algo bm --hex-string '|066b726173746902757300|' -j DROP -m comment --comment "DROP DNS Q"

    Change the --from 40 to --from 36

  3. You could just configure the DNS server properly not to allow recursive queries, blocking it in iptables is like a dog chasing his own tale.