Maintained by: NLnet Labs

[Unbound-users] Random subdomain flood query

Stephane Bortzmeyer
Tue Mar 31 13:37:22 CEST 2015


On Tue, Mar 31, 2015 at 06:09:50PM +0700,
 battossai <battossai at gmail.com> wrote 
 a message of 72 lines which said:

> Here is sample log of mine :
> 
> *Mar 31 17:56:47 ns1 unbound: [7679:1] info: 49.128.xxx.xxx
> cdexevevyp.www.136.xxx. A IN*

If using Linux, this Netfilter rule is very useful:

iptables  -A INPUT --in-interface eth0 -p udp --dport 53 -m string \
    --algo bm --hex-string '|03313336 03787878|' \
    --jump DROP

(where 03313336 03787878 = 136.xxx)