[prev in list] [next in list] [prev in thread] [next in thread]
List: djbdns
Subject: RE: Attempting to stop an abusive ip address
From: "Meron Brandeis" <mbrandeis () netvision013 ! co ! il>
Date: 2007-09-25 9:57:37
Message-ID: 2A257B9E563E5E48A5097EC69F33433D0D92F3 () R-MAIL ! forest ! netvision ! net ! il
[Download RAW message or body]
Hmm yeah I've been toying with that idea myself.. Was just hoping djbdns
had a blackhole option built in.
Thanks for your reply!
Regards,
Meron.
-----Original Message-----
From: Peter Dambier [mailto:peter@cesidianroot.com]
Sent: Monday, September 24, 2007 10:04 PM
To: dns@list.cr.yp.to
Subject: Re: Attempting to stop an abusive ip address
Meron Brandeis wrote:
> Hello there,
>
> I've been using djbdns for a couple of years now, with much
> satisfaction. lately, I found out that I'm being queried the very same
> query (for an inexistent ptr) around 150 times per second from a
> certain host.
>
> As this has been creating a certain overhead on my system I decided to
> block that ip address, and so removed the appropriate file from
> /etc/djbdns/root/ip .
>
> oddly enough, I can see (by sniffing) my server is still sending
> replies to that address (all replies being ServFail).
>
> Im asking myself whether djbdns would reply ServFail for any query
> coming from that host now that this host is not authorized to query
> anymore, and if so, whether theres a way to send the queries coming
> from that host to a _black-hole_ (i.e. not reply at all).
>
> p.s. I allowed for around 10 minutes for djbdns to recognize the
> changes i've made to /etc/dnscache/root/ip
>
>
> Thanks a lot,
> Meron.
>
Hi Meron,
I solved a similar problem not with djbdns but
# descr: Taipei Taiwan
# descr: Chunghwa Telecom Data communication Business Group
# netname: HINET-NET
# inetnum: 59.112.0.0 - 59.123.255.255
route add -net 59.112.0.0 netmask 255.240.0.0 dev eth0
route add -net 59.120.0.0 netmask 255.248.0.0 dev eth0
That has been for my mailer and not a single ip only, but the concept is
the same.
It wont reply servfail - but djbdns will no longer see it and will no
longer reply.
Have a look for faked source ip.
Have a look wether it might be a changing ip-address.
Kind regards
Peter and Karin
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter@cesidianroot.com
mail: peter@echnaton.arl.pirates
http://www.cesidianroot.com/
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic