Maintained by: NLnet Labs

[Unbound-users] Random subdomain flood query

Daniel Ryslink
Wed Apr 1 17:51:13 CEST 2015


> And, in my situation, trying to maintain local zones or iptables rules
> is a litteral "whack-a-mole" game,
> you can't humanely do that manually for an extended period of time.
> It's like, these guys have troves of domains to use and abuse...


However, you can maintain local zone list in unbound automatically 
fairly easily, we have been doing it for over a year with minimal 
necessity of manual intervention. If you wish, have a look at the 
attached perl script.

The only other option is to persuade the users of  the compromised 
machines to clean their systems.


-- 
Best Regards,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.ryslink at dialtelecom.cz
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------

On 04/01/2015 05:05 PM, Stephane LAPIE wrote:
> On 04/01/2015 04:54 PM, Stephane Bortzmeyer wrote:
>>> Manual iptables rules are not maintainable,
>> In my experience, they are, if the attacker does not change the
>> suffix.
> Just my 2 cents here :
> The pattern I am seeing on my side does not evolve as fast as one per
> second,
> but the attacker does change domains every few hours or so.
>
> However, the authoritative servers being hammered as a result do not
> change that much.
> (Most domains I am seeing are chinese domains related to online gambling
> and what not.)
>
> And, in my situation, trying to maintain local zones or iptables rules
> is a litteral "whack-a-mole" game,
> you can't humanely do that manually for an extended period of time.
> It's like, these guys have troves of domains to use and abuse...
>
> (Things get further tricky when some of these domains are set with
> wildcard records too)
>
>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_recursive_queries_unbound_sanitized.pl
Type: application/x-perl
Size: 3443 bytes
Desc: not available
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20150401/ec0bb4cc/attachment.bin>