[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Blocking massive DNS queries
- Subject: [cobalt-users] Blocking massive DNS queries
- From: "aljuhani" <aljuhani@xxxxxxxxx>
- Date: Tue Apr 20 12:46:02 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Hello List..
Many times we have experinced bogus DNS rquests that resulted in consuming
much of our Bandwidth. Attacks mostly orginates from compromised boxes and
they always happen to be under ev1.net ..
This week there was many requsts from different IPs under ev1.net so we have
created the script below to block these IPs and deny packets using IPChains.
First from /var/log issue the command below:
grep "denied recursion for query from" messages|awk '{print$11}'|awk -F[
'{print$2}'|awk -F] '{print$1}' > DNSAttackers.txt
above is one line
This will grep all IPs into the text file DNSAttackers.txt
Second, sort the IPs in the file and remove the duplicates by issuing the
command below:
sort DNSAttackers.txt | uniq >IPs
Third, use the script below between the dashed lines:
----------
#!/usr/bin/perl
# this script will open a list of IP's and add them to the ipchains.
#
$ipfile = "IPs";
$count=1;
open (FILE, "$ipfile");
while (defined ($ip = <FILE>)) {
chomp($ip);
system ("/sbin/ipchains -I input -s $ip -j DENY -l");
#o print $ip;
print "$count\n";
$count++;
}
---------
execute the script and it will block all IPs in one Go..
You may need to remove the logging option "-l" for the IPchains rule in the
script as it will
cause filling up your disk if the attack is massive.
Above command line and script can be integrated into one piece but well just
I thought I post to the
list as it may help others ..
BTW this was tested on a RaQ4 machine.
Regards,
Al-Juhani
aljuhani@xxxxxxxxx