Well, take your domain name, convert it to hex using your nearest hex
calculator -- the 0x just indicates that it is a hex string. To find
the offset you will need the structure of the packet header -- if your
example is correct you just use that offset, recompute the length and
you should not be in too bad shape. Debugging will definitely be a
challenge.
On Mon, 26 Jul 2021 21:43:14 -0400,
Tom wrote:
>
> If you run a DNS server you've likely come across lots of
> requests for RRSIGs of pizzaseo.com. It's a DDOS attack that's
> been going on for years, off and on. Currently it's on, and how!
> Thousands of requests an hour for weeks now on all 3 of my DNS
> servers. Instead of using fail2ban to block the offending IP
> addresses, I want to drop the packet before it gets to the DNS
> server.
>
> I know there is a way for nftables to examine table header
> strings of UDP packets using something called a "raw payload
> expression". You need the hex equivalent of the string, and the
> beginning and end offsets of the string, for example:
>
> meta l4proto udp udp dport 53 @th,160,120
> 0x0970726f787970697065036e657400 counter drop comment "block
> queries for proxypipe.net"
>
> If I wanted to block pizzaseo.com (and I'm far from alone in this
> request!), how do I convert that string to a 0x string? How do I
> check that I have the right start and offset? How would I debug
> such a rule?
>
> Thanks in advance!
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?
John Covici wb2una
covici@xxxxxxxxxxxxxx
