[nycbug-talk] dns abuse

Yarema yds at CoolRat.org
Wed Jan 21 20:34:49 EST 2009 

Max Gribov wrote:
> Hi all,
> saw a huge spike in root zone ns queries on my servers starting this 
> friday 16th
> Heres a sample log:
> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS +
> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS +
> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS +
> 
> some machines query as often as 20-30 times a minute. No idea why this 
> would be happening, doesnt look like legitimate traffic to me..
> Is anyone else experiencing this?
> 
> If you're having same issue, you can do this in pf to throttle it a bit:
> pass in quick on $ext inet proto udp from any to <server> port 53 keep 
> state (max-src-states 1)

Max, looking to implement your throttling rule I noticed
http://www.openbsd.org/faq/pf/filter.html#udpstate says:

~~~~~~~~~~~~~~
<source-track>
    This option enables the tracking of number of states created per
source IP address. This option has two formats:

        * <source-track rule> - The maximum number of states created by
this rule is limited by the rule's <max-src-nodes> and <max-src-states>
options. Only state entries created by this particular rule count toward
the rule's limits.
        * <source-track global> - The number of states created by all
rules that use this option is limited. Each rule can specify different
<max-src-nodes> and <max-src-states> options, however state entries
created by any participating rule count towards each individual rule's
limits.

    The total number of source IP addresses tracked globally can be
controlled via the <src-nodes> runtime option.
...
<max-src-states> number
    When the <source-track> option is used, <max-src-states> will limit
the number of simultaneous state entries that can be created per source
IP address. The scope of this limit (i.e., states created by this rule
only or states created by all rules that use <source-track>) is
dependent on the <source-track> option specified.
~~~~~~~~~~~~~~

I read this to mean that to use <max-src-states> one must also use one
of the two <source-track> formats.  That said, shouldn't your rule read
as follows?

pass in quick on $ext inet proto udp from any to <server> port 53
	keep state (source-track rule, max-src-states 1)

-- 
Yarema

More information about the talk mailing list