Bruce, Paul
2014-09-25 19:33:54 UTC
I want to filter malicious inbound DNS traffic, specifically DNS requests with invalid opcodes. Is anyone out there doing this? Interested in your methodology. I started experimenting with u32 but I'm not sure I'm on the right track, maybe there is a better way?
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x2a=0x35313020" -j logdrop -m comment --comment "dropping non-query opcode packets"
I've been using packet captures to try and identify what I should be blocking but I don't have this pinned down correctly. The relative position of the opcode is moving?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x2a=0x35313020" -j logdrop -m comment --comment "dropping non-query opcode packets"
I've been using packet captures to try and identify what I should be blocking but I don't have this pinned down correctly. The relative position of the opcode is moving?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html