[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] [RAQ4] Denying specific IP from DNS traffic
- Subject: Re: [cobalt-security] [RAQ4] Denying specific IP from DNS traffic
- From: "Ian" <cobalt@xxxxxxxxxxxxx>
- Date: Tue, 18 Feb 2003 16:10:29 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On 14 Feb 2003 at 14:19, David Thacker wrote:
> Greetings,
>
> Some hosehead from 211.135.200.222 [IP1A0602.hkd.mesh.ad.jp] has been
> banging my RaQ4 server with this DNS attack for over a week:
>
> Feb 14 12:08:42 www named[1101]: denied update from [211.135.200.222].3381
> for "targetdomain.com" IN
>
> The port number increase each time, and he'll go in blocks of about 50-75
> ports in a run. It's starting to bug me.
>
> How can I block this IP from reaching my server, specifically named? Will
> listing him in /etc/hosts.deny be effective, or will that not work because
> named doesn't go through inetd?
Back to the original question of blocking dns:
You can block the attacker with ipchains:
$IPCHAINS -A input -p tcp -s 211.135.200.22 -d $YOURIP 53 -j DENY
$IPCHAINS -A input -p udp -s 211.135.200.22 -d $YOURIP 53 -j DENY
replace $IPCHAINS with the path to ipchains
and $YOURIP with your IP address
This will only block dns, to block everything from this host, remove
the '53'
Regards
Ian
--