Friday, November 15, 2013



The biggest DNS response I've seen!

If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.

If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.


There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x17544845 && 0x2c&0xDFDFDFDF=0x42455354 && 0x30&0xDFDFDFDF=0x444f4d41 && 0x34&0xDFDFDFDF=0x494e494e && 0x38&0xDFDFDFDF=0x54484557 && 0x3c&0xDFDFDFDF=0x4f524c44 && 0x40&0xFFDFDFDF=0x07434c4f && 0x44&0xDFDFDFDF=0x55444e53 && 0x48&0xFFDFDFFF=0x02455500" -j DROP -m comment --comment "DROP DNS Q"

More U32 rules can be found here:

iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 76 --algo bm --hex-string '|1774686562657374646f6d61696e696e746865776f726c6407636c6f75646e7302657500|' -j DROP -m comment --comment "DROP DNS Q"
More Iptables rules for the STRING module can be found here:

Source: ; Korea, Republic of ; AS46010 SAMJUNG DATA SERVICE

Name server:

;; ANSWER SECTION: 3600 IN NS 3600 IN NS 3600 IN NS 3600 IN NS


A 1345
NS 4
Rsize 21683


% The EURid WHOIS service on port 43 (textual whois) never
% discloses any information concerning the registrant.
% Registrant and onsite contact information can be obtained through use of the
% webbased whois service available from the EURid website
-7: Invalid pattern

No comments:

Post a Comment