[Unbound-users] Random subdomain flood query

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Apr 1 07:54:35 UTC 2015


On Wed, Apr 01, 2015 at 07:53:54AM +1000,
 Thomas <tom at then.fr> wrote 
 a message of 34 lines which said:

> We have the same problem.
> 
> Attacks are random and with many source IPs (botnets).

Stable suffix or not? battossai claimed that the suffix changed every
second.

> Therefore it is
> harder to have an automatic system to block source IPs.

It's not the source IP that you should block (they are probably forged
so you would block innocent people) but the suffix (I sent the
iptables rule for that a few messages ago).

> Manual iptables rules are not maintainable,

In my experience, they are, if the attacker does not change the
suffix.



More information about the Unbound-users mailing list