DGA Attack mitigation

Eduardo Schoedler listas at esds.com.br
Mon Apr 9 21:36:11 UTC 2018


2018-04-09 16:15 GMT-03:00 Paul Vixie via Unbound-users
<unbound-users at unbound.net>:
>
>
> Rainer Duffner via Unbound-users wrote:
>>
>>
>>
>>> Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users
>>> <unbound-users at unbound.net <mailto:unbound-users at unbound.net>>:
>>>
>>> Im running 20 Unbound servers and around 20% of response are NXDOMAIN,
>>> for queries coming from my clients.
>>
>>
>>
>>
>> Block those IPs that are obviously p4wned until they clean up their PCs?
>
>
> the source addresses are forged. the victims are not unclean in any way.
> this is why rrl exists.

I drop queries in firewall by string.

#/sbin/iptables -A DNS -m string --algo bm --hex-string
'|04|wpad|06|domain|04|name|' --to 255 -j DROP -m comment --comment
"DROP wpad.domain.name"


-- 
Eduardo Schoedler



More information about the Unbound-users mailing list