=====Scripts for blocking abusive DNS access===== The following sections will detail attempts to block abusive traffic, generally towards the public tier-2 servers. Please try to give as much information about the nature of the traffic, and any solutions you may have found useful. ===DDOS on source port 25345=== Beginning in November 2010, large numbers of queries were detected requesting DNSSEC lookups for isc.org. A search concluded that this type of traffic has been seen for several months, and has been labeled as a DDOS attack, most likely against the server receiving the queries. The packets have the following unique characteristics: - The query log will show the string "query: isc.org IN ANY +ED" - The source port is always 25345 A typical log entry will appear as such: ##17-Jan-2011 03:42:22.921 queries: info: client xx.xx.xx.xx#25345: view net: query: isc.org IN ANY +ED## The following shell script will run on linux and makes use of iptables to block the offending IP addresses. This script assumes you are running BIND9, have an active query log, and are authorized to add iptables rules on the server in question. This script may be run as a background process, and should use very minimal system resources. This script will check the log once per second, and if it finds more than 10 queries matching the given string, an iptables rule will be created that blocks further queries on port 25345. The user at the blocked IP will still be able to perform normal DNS queries while this rule is in effect. After 10 minutes, the rule is removed, but will be added again if another round of queries is detected. [[ddosDotSh | Link to ddos.sh]]