iptables -I INPUT 1 -p udp -m udp --dport 53 -m string --hex-string "|333032353904696e666f|" --algo kmp --from 30 --to 65535 -m comment --comment "drop 30259.info" -j DROP
Unfortunately that string is in hex, so you'll need to run a tcpdump to extract the hex-encoded domain name like so:
[bob@host01 ~]# tcpdump -nnX -c 10 -s 0 -l port 53
05:18:53.307390 IP nnn.nnn.nnn.nnn.32825 > xxx.xxx.xxx.xxx.53: 7117+ [1au] ANY? 30259.info. (51)
0x0000: 4500 004f 0000 4000 3f11 df23 cd86 d638 E..O..@.?..#...8
0x0010: d8b1 e009 8039 0035 003b 34c9 1bcd 0100 .....9.5.;4.....
0x0020: 0001 0000 0000 0001 0533 3032 3539 0469 .........30259.i
0x0030: 6e66 6f00 00ff 0001 0000 2910 0000 0000 nfo.......).....
0x0040: 0000 0c50 fa00 0800 0120 000b 5dfb ed ...P........]..
Notice that this happens to be a QTYPE 255: A request for all records (all cached records, not an AXFR which is type 252. I dunno if this QTYPE is useful in the real world or just a vector for attack. You can view all queries with QTYPE=255 with
tcpdump -c 10 -s 0 -l port 53 and ether[len - 3] == 0xff
Posts
