[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] [RAQ4] Denying specific IP from DNS traffic

Subject: Re: [cobalt-security] [RAQ4] Denying specific IP from DNS traffic
From: "Ian" <cobalt@xxxxxxxxxxxxx>
Date: Tue, 18 Feb 2003 16:10:29 -0000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On 14 Feb 2003 at 14:19, David Thacker wrote:

> Greetings,
> 
> Some hosehead from 211.135.200.222 [IP1A0602.hkd.mesh.ad.jp] has been
> banging my RaQ4 server with this DNS attack for over a week:
> 
> Feb 14 12:08:42 www named[1101]: denied update from [211.135.200.222].3381
> for "targetdomain.com" IN
> 
> The port number increase each time, and he'll go in blocks of about 50-75
> ports in a run.  It's starting to bug me.
> 
> How can I block this IP from reaching my server, specifically named?  Will
> listing him in /etc/hosts.deny be effective, or will that not work because
> named doesn't go through inetd?

Back to the original question of blocking dns:

You can block the attacker with ipchains:

$IPCHAINS -A input -p tcp -s 211.135.200.22 -d $YOURIP 53 -j DENY 
$IPCHAINS -A input -p udp -s 211.135.200.22 -d $YOURIP 53 -j DENY

replace $IPCHAINS with the path to ipchains
and 	$YOURIP with your IP address

This will only block dns,  to block everything from this host, remove 
the '53'


Regards

Ian
--

References:
- [cobalt-security] [RAQ4] Denying specific IP from DNS traffic
  - From: David Thacker

Prev by Date: RE: [cobalt-security] [RAQ4] Denying specific IP from DNS traffic
Next by Date: Re: [cobalt-security] [RAQ4] Denying specific IP from DNS traffic
Previous by thread: Re: [cobalt-security] [RAQ4] Denying specific IP from DNS traffic
Next by thread: RE: [cobalt-security] [RAQ4] Denying specific IP from DNS traffic

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index