Maintained by: NLnet Labs

[Unbound-users] Random subdomain flood query

Stephane LAPIE
Wed Apr 1 17:05:21 CEST 2015


On 04/01/2015 04:54 PM, Stephane Bortzmeyer wrote:
>> Manual iptables rules are not maintainable,
> In my experience, they are, if the attacker does not change the
> suffix.
Just my 2 cents here :
The pattern I am seeing on my side does not evolve as fast as one per
second,
but the attacker does change domains every few hours or so.

However, the authoritative servers being hammered as a result do not
change that much.
(Most domains I am seeing are chinese domains related to online gambling
and what not.)

And, in my situation, trying to maintain local zones or iptables rules
is a litteral "whack-a-mole" game,
you can't humanely do that manually for an extended period of time.
It's like, these guys have troves of domains to use and abuse...

(Things get further tricky when some of these domains are set with
wildcard records too)
-- 
Stephane LAPIE, EPITA SRS, Promo 2005
"Even when they have digital readouts, I can't understand them."
--MegaTokyo


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20150402/e753301d/attachment.sig>