Dropping UDP packets to port 53 containing known domain string?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Dropping UDP packets to port 53 containing known domain string?
- From: Tom <tom@xxxxxxxxxxx>
- Date: Mon, 26 Jul 2021 21:43:14 -0400
If you run a DNS server you've likely come across lots of requests for
RRSIGs of pizzaseo.com. It's a DDOS attack that's been going on for
years, off and on. Currently it's on, and how! Thousands of requests an
hour for weeks now on all 3 of my DNS servers. Instead of using fail2ban
to block the offending IP addresses, I want to drop the packet before it
gets to the DNS server.
I know there is a way for nftables to examine table header strings of
UDP packets using something called a "raw payload expression". You need
the hex equivalent of the string, and the beginning and end offsets of
the string, for example:
meta l4proto udp udp dport 53 @th,160,120
0x0970726f787970697065036e657400 counter drop comment "block queries for
proxypipe.net"
If I wanted to block pizzaseo.com (and I'm far from alone in this
request!), how do I convert that string to a 0x string? How do I check
that I have the right start and offset? How would I debug such a rule?
Thanks in advance!
[Index of Archives]
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Netem]
[Berkeley Packet Filter]
[Linux Kernel Development]
[Advanced Routing & Traffice Control]
[Bugtraq]
