tag:blogger.com,1999:blog-8623811450826211059.comments2022-10-26T06:35:08.831-07:00DNS Amplification Attacks Observerdnsamplificationattackshttp://www.blogger.com/profile/01320145168822507091noreply@blogger.comBlogger222125tag:blogger.com,1999:blog-8623811450826211059.post-80065066768699156422015-01-09T04:48:42.623-08:002015-01-09T04:48:42.623-08:00I've been getting similar for several days now...I've been getting similar for several days now. Seemingly normal Chinese internet users who think that our website is facebook, bejewelled, a bittorrent tracker, gaming stats servers etc. Its mostly steady traffic but there were a few serious spikes of 2k / min for 45minutes<br /><br />One theory is that its people using a VPN to get around great firewall and something is misconfigured.<br /><br />For now I just return 444 but its becoming a problem.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-86560365639832361392014-12-31T02:32:11.232-08:002014-12-31T02:32:11.232-08:00I just found this in my logs from two hours ago. &...I just found this in my logs from two hours ago. "named[1741]: client 162.213.155.176#41178 (vlch.net): query (cache) 'vlch.net/ANY/IN' denied"<br /><br />I don't really understand. Does that mean they attempted to do something and were blocked?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-74630788338999207052014-12-07T05:39:20.934-08:002014-12-07T05:39:20.934-08:00Great article, it was very helpful! I just started...Great article, it was very helpful! I just started in this and I'm getting to know it better! Cheers, keep up the good work! <br /><a href="http://hosthub.biz" rel="nofollow">Domain Registration</a>Anonymoushttps://www.blogger.com/profile/08886912473503485918noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-84232310978043169802014-10-11T16:22:50.232-07:002014-10-11T16:22:50.232-07:0089.248.172.95 NL-ECATEL
89.248.169.9
89.248.167...89.248.172.95 NL-ECATEL<br />89.248.169.9 <br />89.248.167.19<br /> I received notices from Malwarebytes software that they were added as Web Exclusions <br />What should I do? <br />Thanks,<br />Mike<br />WC Menckenhttps://www.blogger.com/profile/05491845035659459934noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-28154508329618011912014-09-29T18:11:52.780-07:002014-09-29T18:11:52.780-07:00Hi, Just want to ask why there is no update recent...Hi, Just want to ask why there is no update recently?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-1683455801767540622014-09-11T12:38:47.592-07:002014-09-11T12:38:47.592-07:00Any tool that delivers the iptables or if possible...Any tool that delivers the iptables or if possible share the script that generates the domain-blacklist.txt<br /><br />ThanksCapLinuxhttps://www.blogger.com/profile/15100097842641634503noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-10775593018341205182014-07-31T00:22:23.169-07:002014-07-31T00:22:23.169-07:00Please log on twitter, I have tweeted you several ...Please log on twitter, I have tweeted you several new domains.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-34111134412251949442014-07-24T14:46:56.870-07:002014-07-24T14:46:56.870-07:00The code snippet in your last comment using the re...The code snippet in your last comment using the recent module doesn't work on OpenWRT BB 14.07-RC1 (assuming it's put in /etc/firewall.user). Could you elaborate please?<br /><br />TIA!<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-79377933589531375122014-06-17T17:32:54.755-07:002014-06-17T17:32:54.755-07:00Also seeing these today, source IP of infected hos...Also seeing these today, source IP of infected hosts...<br />64.16.206.82 [Client] Request for wradish.com. -not authorized<br />178.32.56.245 [Client] Request for wradish.com. -not authorized<br />109.163.232.195 [Client] Request for anaheim.cz. -not authorized<br /><br />To the other commenter - don't know why your synology nas is running a DNS server on the Internet - if you don't need it, turn it off. If you do need it, put a firewall in front and block the IPs.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-18628018414806876432014-06-17T10:28:38.175-07:002014-06-17T10:28:38.175-07:00hello, is there any solution with this ? because i...hello, is there any solution with this ? because it seems my dns server (as caching server - freebsd 10 - bind 9.10) had this kind of queries that eating the server ram (resource-exhaustion) ... rate-limiting doesn't effect.Anonymoushttps://www.blogger.com/profile/06061266725802351122noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-66947035172475230602014-06-11T14:08:23.507-07:002014-06-11T14:08:23.507-07:00Citated from that blog - "Secure64’s DNS Cach...Citated from that blog - "Secure64’s DNS Cache has built-in defenses against such an attack. Under attack conditions, the Secure64 resolver will not consume any CPU or memory resources attempting to reach nameservers that it already knows are non-responsive. This adaptive behavior allows the Secure64 resolver to remain 100% available to legitimate clients under such attack conditions." - end of citate.<br /><br />Hmm, such mitigation could create the problems with false positives. Imagine the attacker will send the queries to well-known (and viable domain) nameserver:<br />ewrjtbgytrj.yahoo.com<br />liujdf.yahoo.com<br />hjoigyfli.yahoo.com<br />...<br />Such mechanism could block all (including completely legal queries such as www.yahoo.com) queries to yahoo.com' nameservers in such a way. And so the attack will have an impact of stopping you clients from seeing yahoo.com records.<br /><br />More right way is to implement protective mechanism via blocking clients queries, instead of stopping the attempts to reach a nameserver.<br />I've had implemented mitigation mechanism against DNS slow drip attack in such a way: collecting run-time statistics about top queries, analyzing their domain part, basing on that hit counts I put in blacklist a record which include client's IP, client's query (only domain part that was hit) and so all further client queries that contains the same domain part won't be processed by DNS for some period of time. You need some additional memory for storing blacklist data, of course. IMO it is better than false positives...sscdvphttp://sscdvp.blogspot.comnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-73977356714226017682014-06-08T13:08:46.513-07:002014-06-08T13:08:46.513-07:00Once a domain expires one of two things will happe...Once a domain expires one of two things will happen. Firstly the domain will expire and become available to register as a domain name through the normal registration process. If the domain has any value then it is likely to be picked up by a name drop registrar.<br /><br />Before we go deeper into the world of dropped names you may want to know what an expired domain name is and how you go about getting hold of an expired domain name.<br /><br />You may have noticed that your registrar offers a back ordering service. A Back order service allows you to pay your domain registrar to try and acquire a specific domain name once it expires.<br /><br />There are drop registrars whose sole purpose is to try and register a domain name once it has dropped. These expired domain name catchers work on behalf of individuals and other domain registrars to acquire domain names on their behalf.<br /><br />Expired domains are a big business as webmasters and large corporations try to grab as many valuable domains as they drop. The reason for this virtual land grab is that many domain names can fetch high resale prices on the open market or have valuable existing traffic or type in traffic potential.<br /><br /><a href="http://extractdomains.com/" rel="nofollow">expired domains</a><br /><br />Anonymoushttps://www.blogger.com/profile/09373999175989211720noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-22209523942035815022014-06-05T02:59:39.118-07:002014-06-05T02:59:39.118-07:00I wrote a little script that uses tcpdump etc to f...I wrote a little script that uses tcpdump etc to find what domains are being abused and adds them to a backlist file which is then parsed and blocked.<br />Saves a lot of trouble with this kind of attack.<br />Feel free to download it and see if it works for you. It sure does for me :)<br />http://blog.schmuffeln.de/2014/06/dns-amplification-attack-for-random-subdomains/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-13629256765371484272014-06-05T00:49:49.639-07:002014-06-05T00:49:49.639-07:00These are awesome! I've been looking for one t...These are awesome! I've been looking for one too thanks!!!!!<br /><a href="https://www.verticalswitch.com/" rel="nofollow">Server hosting 1gbit</a>Monilisahttps://www.blogger.com/profile/08530518870108879640noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-60660501550626896942014-06-03T22:44:36.807-07:002014-06-03T22:44:36.807-07:00Stephane,
When I run your script I...Stephane,<br /> When I run your script I get the following output:<br /><br />"0>>22&0x3C@20&0xFFDFDFDF=0x04524950&&0>>22&0x3C@24&0xDFFFDFDF=0x45034e45&&0>>22&0x3C@28&0xDFFFFFFF=0x540000FF"<br /><br />Are the characters getting munged on output? ie Is "0>>22" valid data or is pything dumping out garbage because I don't have the right Python version or a module installed? Can you please how the output of the example in your script pls? <br /> "% python generate-netfilter-u32-rule.py --qname ripe.net --qtype ANY"<br /><br />ThanksDavidhttps://www.blogger.com/profile/16217853603688471149noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-32594473387362871322014-06-03T17:11:25.767-07:002014-06-03T17:11:25.767-07:00Hey Guys,
would you please help me to create corr...Hey Guys,<br /><br />would you please help me to create correct IPTables policy for following case? :<br /><br /> 192.168.1.13.domain > 99.253.113.44.36891: [udp sum ok] 43028| q: ANY? ping.zong.co.ua. 0/0/1 ar: . OPT UDPsize=4096 (44)<br /> 0x0000: 4500 0048 e2db 0000 4011 00eb c0a8 010d<br /> 0x0010: 63fd 712c 0035 901b 0034 f814 a814 8380<br /> 0x0020: 0001 0000 0000 0001 0470 696e 6704 7a6f<br /> 0x0030: 6e67 0263 6f02 7561 0000 ff00 0100 0029<br /> 0x0040: 1000 0000 0000 0000<br /><br /><br />I have tried something like:<br /><br />iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x1c=0x75328380 && 0x28=0x0470696e && 0x2c=0x67047a6f && 0x30=0x6e670263" -j DROP -m comment --comment "Drops"<br /><br />but apparently it doesn't work..<br /><br />My System is Fedora 20 (iptables 1.4.x)<br /><br />thank you in advanceanihilatorhttps://www.blogger.com/profile/04308606964858979254noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-18013604053682730392014-06-02T16:51:33.453-07:002014-06-02T16:51:33.453-07:00Server: google-publ
Address: 8.8.8.8
Name: m...Server: google-publ<br />Address: 8.8.8.8<br /><br />Name: magas.bslrp<br />Addresses: 2.2.2.28<br /> 2.2.2.29<br /> 2.2.2.30<br /> 2.2.2.31<br /> 2.2.2.32<br /> 2.2.2.33<br /> 2.2.2.34<br /> 2.2.2.35<br /> 2.2.2.36<br /> 2.2.2.37<br /> 2.2.2.38<br /> 2.2.2.39<br /> 2.2.2.40<br /> 2.2.2.41<br /> 2.2.2.42<br /> 2.2.2.43<br /> 2.2.2.44<br /> 2.2.2.45<br /> 2.2.2.46<br /> 2.2.2.47<br /> 2.2.2.48<br /> 2.2.2.49<br /> 2.2.2.50<br /> 2.2.2.51<br /> 2.2.2.52<br /> 2.2.2.53<br /> 2.2.2.54<br /> 2.2.2.55<br /> 2.2.2.56<br /> 2.2.2.57<br /> 2.2.2.58<br /> 2.2.2.59<br /> 2.2.2.60<br /> 2.2.2.61<br /> 2.2.2.62<br /> 2.2.2.63<br /> 2.2.2.64<br /> 2.2.2.65<br /> 2.2.2.66<br /> 2.2.2.67<br /> 2.2.2.68<br /> 2.2.2.69<br /> 2.2.2.70<br /> 2.2.2.71<br /> 2.2.2.72<br /> 2.2.2.73<br /> 2.2.2.74<br /> 2.2.2.75<br /> 2.2.2.76<br /> 2.2.2.77<br /> 2.2.2.78<br /> 2.2.2.79<br /> 2.2.2.80<br /> 2.2.2.81<br /> 2.2.2.82<br /> 2.2.2.83<br /> 2.2.2.84<br /> 2.2.2.85<br /> 2.2.2.86<br /> 2.2.2.87<br /> 2.2.2.88<br /> 2.2.2.89<br /> 2.2.2.90<br /> 2.2.2.91<br /> 2.2.2.92<br /> 2.2.2.93<br /> 2.2.2.94<br /> 2.2.2.95<br /> 2.2.2.96<br /> 2.2.2.97<br /> 2.2.2.98<br /> 2.2.2.99<br /> 2.2.2.100<br /> 2.2.2.101<br /> 2.2.2.102<br /> 2.2.2.103<br /> 2.2.2.104<br /> 2.2.2.105<br /> 2.2.2.106<br /> 2.2.2.107<br /> 2.2.2.108<br /> 2.2.2.109<br /> 2.2.2.110<br /> 2.2.2.111<br /> 2.2.2.112<br /> 2.2.2.113<br /> 2.2.2.114<br /> 2.2.2.115<br /> 2.2.2.116<br /> 2.2.2.117<br /> 2.2.2.118<br /> 2.2.2.119<br /> 2.2.2.120<br /> 2.2.2.121<br /> 2.2.2.122<br /> 2.2.2.123<br /> 2.2.2.124<br /> 2.2.2.125<br /> 2.2.2.126<br /> 2.2.2.127<br /> 2.2.2.128<br /> 2.2.2.129<br /> 2.2.2.130<br /> 2.2.2.131<br /> 2.2.2.132<br /> 2.2.2.133<br /> 2.2.2.134<br /> 2.2.2.135<br /> 2.2.2.136<br /> 2.2.2.137<br /> 2.2.2.138<br /> 2.2.2.139<br /> 2.2.2.140<br /> 2.2.2.141<br /> 2.2.2.142<br /> 2.2.2.143<br /> 2.2.2.144<br /> 2.2.2.145<br /> 2.2.2.146<br /> 2.2.2.147<br /> 2.2.2.148<br /> 2.2.2.149<br /> 2.2.2.150<br /> 2.2.2.151<br /> 2.2.2.152<br /> 2.2.2.153<br /> 2.2.2.154<br /> 2.2.2.155<br /> 2.2.2.156<br /> 2.2.2.157<br /> 2.2.2.158<br /> 2.2.2.159<br /> 2.2.2.160<br /> 2.2.2.161Unknownhttps://www.blogger.com/profile/00553821571057797105noreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-48533544581080107122014-05-23T23:07:05.934-07:002014-05-23T23:07:05.934-07:00I find the best way to stop it is to turn recursio...I find the best way to stop it is to turn recursion off on the public dns. wradish.com is not the only one I'm seeing I also see some of the same crap for zing.zong.co.ua<br />The iptables rule above only works for wradish.comAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-21377533472090283082014-05-23T09:51:05.958-07:002014-05-23T09:51:05.958-07:00Как создать такой домен для амплификации?Как создать такой домен для амплификации?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-76531254242108886192014-05-22T20:37:15.473-07:002014-05-22T20:37:15.473-07:00Hi, i can confirm that we see this query on our An...Hi, i can confirm that we see this query on our AntiDDoS technology, trying to spam our DNS. We blocked it.<br />We are using Arbor Peakflow AntiDDoS technology.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-40802397264476349932014-05-22T18:27:01.079-07:002014-05-22T18:27:01.079-07:00census.gov as well My firewall drops these automat...census.gov as well My firewall drops these automatically after they hit a closed port but damn they have been slamming me lately. even with dropping them fast and easy its getting annoying. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-26042022314474311002014-05-18T12:47:32.179-07:002014-05-18T12:47:32.179-07:00I'm using..
-A INPUT -p udp -m udp --dport 53...I'm using..<br /><br />-A INPUT -p udp -m udp --dport 53 -m u32 --u32 0x28=0x8666b66&&0x2c=0x6b666b66&&0x30=0x63036269&&0x34=0x7a0000ff -m comment --comment "DROP DNS fkfkfkfc.biz" -j DROP <br /><br />NevAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-31993254652393664182014-05-11T09:22:35.811-07:002014-05-11T09:22:35.811-07:00any rule for fkfkfkfc.biz as I need to block this ...any rule for fkfkfkfc.biz as I need to block this too... Thx NevAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-16326814649828207682014-05-04T03:44:32.308-07:002014-05-04T03:44:32.308-07:00hi, i'm currently seeing many queries from wra...hi, i'm currently seeing many queries from wradish.com on my dns server (synology nas). do you have an idea of how i can block it ?<br />thxAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8623811450826211059.post-2538059800678451242014-04-30T16:27:00.277-07:002014-04-30T16:27:00.277-07:00Thank you for helping me be a slightly more compet...Thank you for helping me be a slightly more competent sysadmin.Anonymousnoreply@blogger.com