Parent Category: Security
Hits: 7607

Today i met a new challenge , to defend against the UDP DNS Query attack.

The attack looks like this:

20   0.090201    DNS   Standard query ANY
46   0.167341    DNS   Standard query ANY
67   0.240729    DNS   Standard query ANY
82   0.283842    DNS   Standard query ANY
122  0.413971    DNS   Standard query ANY
126  0.421386    DNS   Standard query ANY


This is how you can protect yourself:


# iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP


# iptables -A INPUT -p udp -m string --hex-string "|6973633f6f72673f|" --algo bm --to 65535 -j DROP

Snort rulles:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS DDoS"; content:"|03 69 73 63 03 6f 72 67 00|";,369; classtype:attempted-dos; sid:4000002; rev:1; fwsam: src, 1 day;)

Also you must secure your nameservers:

Open /etc/named.conf

Look for line:

// query-source address * port 53;

below it , insert the following lines.

version “Bind”;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

This will disable recursion for other ips than trusted.


We use Hosting and VPS Hosting, from:

We like and trust them.

Good prices, high security.