Hello
I have problem with DNS related UDP attack. My dns server which is protected by an untangle in bridge mode, is recieving large amounts of UDP packets with a (probably) dns cache poisoning attack (or something like this, i am not an expert on this).
Server log shows : named[5789]: client 195.146.59.253#21031: query (cache) 'verisign.net/ANY/IN' denied
The attack is based from several IPs. Untangle shows about 1300 connections whith that kind of activity and is not blocking this. Form server logs i was able to read that attacker is sending several udp packets per second, so it is not much. I am able to manually block in firewall IPs that are sending this kind of querys to my dns server. Howewer attacker is changing IP addresses on a per day period. In normal conditions my dns server is recieving about 10-20 requests per minute so it is not busy machine, and that kind of bad traffic is very easy to spot and distinguish from normal traffic. I want to write a IPTABLES rule that will be able to block this kind of activity automatically, and when attack stops i want the system to remove this IP from blocked IPs.
Can it be done ? And is it safe to write your own iptables rules in untangle firewall ?
Also it would be very nice if anyone could help me with any information what is this attack exactly doing and how to prevent it ?
Thank you.
I have problem with DNS related UDP attack. My dns server which is protected by an untangle in bridge mode, is recieving large amounts of UDP packets with a (probably) dns cache poisoning attack (or something like this, i am not an expert on this).
Server log shows : named[5789]: client 195.146.59.253#21031: query (cache) 'verisign.net/ANY/IN' denied
The attack is based from several IPs. Untangle shows about 1300 connections whith that kind of activity and is not blocking this. Form server logs i was able to read that attacker is sending several udp packets per second, so it is not much. I am able to manually block in firewall IPs that are sending this kind of querys to my dns server. Howewer attacker is changing IP addresses on a per day period. In normal conditions my dns server is recieving about 10-20 requests per minute so it is not busy machine, and that kind of bad traffic is very easy to spot and distinguish from normal traffic. I want to write a IPTABLES rule that will be able to block this kind of activity automatically, and when attack stops i want the system to remove this IP from blocked IPs.
Can it be done ? And is it safe to write your own iptables rules in untangle firewall ?
Also it would be very nice if anyone could help me with any information what is this attack exactly doing and how to prevent it ?
Thank you.