Maintained by: NLnet Labs

[Unbound-users] Random subdomain flood query

Stephane Bortzmeyer
Wed Apr 1 09:54:35 CEST 2015


On Wed, Apr 01, 2015 at 07:53:54AM +1000,
 Thomas <tom at then.fr> wrote 
 a message of 34 lines which said:

> We have the same problem.
> 
> Attacks are random and with many source IPs (botnets).

Stable suffix or not? battossai claimed that the suffix changed every
second.

> Therefore it is
> harder to have an automatic system to block source IPs.

It's not the source IP that you should block (they are probably forged
so you would block innocent people) but the suffix (I sent the
iptables rule for that a few messages ago).

> Manual iptables rules are not maintainable,

In my experience, they are, if the attacker does not change the
suffix.