'RE: Attempting to stop an abusive ip address'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       djbdns
Subject:    RE: Attempting to stop an abusive ip address
From:       "Meron Brandeis" <mbrandeis () netvision013 ! co ! il>
Date:       2007-09-25 9:57:37
Message-ID: 2A257B9E563E5E48A5097EC69F33433D0D92F3 () R-MAIL ! forest ! netvision ! net ! il
[Download RAW message or body]

Hmm yeah I've been toying with that idea myself.. Was just hoping djbdns
had a blackhole option built in.

Thanks for your reply!

Regards,
Meron. 

-----Original Message-----
From: Peter Dambier [mailto:peter@cesidianroot.com] 
Sent: Monday, September 24, 2007 10:04 PM
To: dns@list.cr.yp.to
Subject: Re: Attempting to stop an abusive ip address

Meron Brandeis wrote:
> Hello there,
>  
> I've been using djbdns for a couple of years now, with much 
> satisfaction. lately, I found out that I'm being queried the very same

> query (for an inexistent ptr)  around 150 times per second from a 
> certain host.
>  
> As this has been creating a certain overhead on my system I decided to

> block that ip address, and so removed the appropriate file  from 
> /etc/djbdns/root/ip .
>  
> oddly enough, I can see (by sniffing)  my server is still sending 
> replies to that address (all replies being ServFail).
>  
> Im asking myself whether djbdns would reply ServFail for any query 
> coming from that host now that this host is not authorized to query 
> anymore, and if so, whether theres a way to send the queries coming 
> from that host to a _black-hole_ (i.e. not reply at all).
>  
> p.s. I allowed for around 10 minutes for djbdns to recognize the 
> changes i've made to /etc/dnscache/root/ip
>  
>  
> Thanks a lot,
> Meron.
>  

Hi Meron,

I solved a similar problem not with djbdns but

# descr:        Taipei Taiwan
# descr:        Chunghwa Telecom Data communication Business Group
# netname:      HINET-NET
# inetnum:      59.112.0.0 - 59.123.255.255
route add -net  59.112.0.0   netmask 255.240.0.0     dev eth0
route add -net  59.120.0.0   netmask 255.248.0.0     dev eth0

That has been for my mailer and not a single ip only, but the concept is
the same.

It wont reply servfail - but djbdns will no longer see it and will no
longer reply.

Have a look for faked source ip.
Have a look wether it might be a changing ip-address.

Kind regards
Peter and Karin

--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter@cesidianroot.com
mail: peter@echnaton.arl.pirates
http://www.cesidianroot.com/
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic