<div dir="ltr"><br><div class="gmail_quote"><div dir="ltr"><div>Hello,<br><br></div>I just want to share this info for blocking dns amplification attacks<div><br><a href="http://wiki.opennicproject.org/Tier2Security" target="_blank">http://wiki.opennicproject.org/Tier2Security</a><br><a href="https://gist.github.com/guerrerocarlos/5171614" target="_blank">https://gist.github.com/guerrerocarlos/5171614</a><br><a href="http://www.junkemailfilter.com/blog/2013/03/03/how-to-block-dns-amplification-attack-isc-org-any-attack/" target="_blank">http://www.junkemailfilter.com/blog/2013/03/03/how-to-block-dns-amplification-attack-isc-org-any-attack/</a><br><br>Merry Christmas !<br><div><div class="gmail_extra"><br><br><br><br><div class="gmail_quote">On Fri, Dec 18, 2015 at 3:21 PM, Josh Sanders <span dir="ltr"><<a href="mailto:facil77@gmail.com" target="_blank">facil77@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>Thanks for your reply Bert, <br><br></div>I am trying the iptables rules for stopping "questions"<br>-m string --hex-string "|0000ff0001|" and not allowing <br></div>to overload my small DNSs.<br><div><div><div><div class="gmail_extra"><br><br><br><div class="gmail_quote">On Fri, Dec 18, 2015 at 3:01 PM, bert hubert <span dir="ltr"><<a href="mailto:bert.hubert@powerdns.com" target="_blank">bert.hubert@powerdns.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>On Fri, Dec 18, 2015 at 02:50:22PM -0600, Josh Sanders wrote:<br>
> Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680:<br>
> packetcache MISS<br>
><br>
> As you may see, 'any-to-tcp=yes' seems to be not working so far ...<br>
<br>
</span>Can you tcpdump? They could simply be sking the question, doesn't mean they<br>
have to *respect* your TC=1 answer. Since that is all we can do, set TC=1.<br>
It does not stop the questions!<br>
<br>
We do provide a really small answer that way, which stops the amplification<br>
from working.<br>
<span><font color="#888888"><br>
Bert<br>
</font></span></blockquote></div><br></div></div></div></div></div>
</blockquote></div><br></div></div></div></div>
</div><br></div>