From: Mark Wooding <mdw@distorted.org.uk>
Date: Thu, 4 Jun 2009 14:55:44 +0000 (+0100)
Subject: vampire: Add special hook for DNS badness.
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/firewall/commitdiff_plain/83610d8aa07970a77bcb27f0cffe9db38b09cc1d?hp=83610d8aa07970a77bcb27f0cffe9db38b09cc1d

vampire: Add special hook for DNS badness.

There's a DDOS attack which works by sending DNS servers bogus requests
with spoofed source addresses.  The servers' error reports end up
bombarding the victim.

The `logtrawl' program maintains an ipset listing the known victim IP
addresses based on the DNS server's logs; here, we /drop/ matching
packets -- otherwise the ICMP fallout would do just as well as the DNS
errors at clobbering the victim.  Fortunately this isn't very evil,
since DNS over UDP is unreliable anyway.

It may be that `logtrawl' grows up to do more of this stuff later.
---