If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
IPtables:
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x03495249 && 0x2c&0xFFDFDFFF=0x02534f00" -j DROP -m comment --comment "DROP DNS Q iri.so"
More U32 rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 48 --algo bm --hex-string '|0369726902736f00|' -j DROP -m comment --comment "DROP DNS Q iri.so"
More Iptables rules for the STRING module can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
Source:
No IP source for this domain
Name server:
;; ANSWER SECTION:
iri.so. 600 IN NS ns1.spaceweb.ru.
iri.so. 600 IN NS ns2.spaceweb.ru.
Response:
A 5
MX 41
NS 3
SOA 1
TXT 3
Rsize 3968
Whois
This whois service is provided by GMO Registry and only contains
information pertaining to Internet domain names we have registered for
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) GMO Registry http://www.gmo-registry.com/en/
Domain ID:GMOREGISTRY-DO4238
Domain Name:IRI.SO
Created On:2013-07-10T05:38:55.0Z
Last Updated On:2013-09-25T10:13:18.0Z
Expiration Date:2014-07-10T23:59:59.0Z
Status:ok
Registrant ID:sub-708849
Registrant Name:Kanevsky Alexandr
Registrant Street1:Dniprovska Naberejna, 26
Registrant City:Kyiv
Registrant State/Province:Kievskaya
Registrant Postal Code:02000
Registrant Country:UA
Registrant Phone:+380.919028653
Registrant Email:vinject0@gmail.com
Admin ID:sub-708849
Admin Name:Kanevsky Alexandr
Admin Street1:Dniprovska Naberejna, 26
Admin City:Kyiv
Admin State/Province:Kievskaya
Admin Postal Code:02000
Admin Country:UA
Admin Phone:+380.919028653
Admin Email:vinject0@gmail.com
Tech ID:sub-708849
Tech Name:Kanevsky Alexandr
Tech Street1:Dniprovska Naberejna, 26
Tech City:Kyiv
Tech State/Province:Kievskaya
Tech Postal Code:02000
Tech Country:UA
Tech Phone:+380.919028653
Tech Email:vinject0@gmail.com
Billing ID:sub-708849
Billing Name:Kanevsky Alexandr
Billing Street1:Dniprovska Naberejna, 26
Billing City:Kyiv
Billing State/Province:Kievskaya
Billing Postal Code:02000
Billing Country:UA
Billing Phone:+380.919028653
Billing Email:vinject0@gmail.com
Sponsoring Registrar ID:subreg
Sponsoring Registrar Organization:Gransy s.r.o. d/b/a/ subreg.cz
Sponsoring Registrar Street1:Borivojova 35
Sponsoring Registrar City:Praha
Sponsoring Registrar Postal Code:135 00
Sponsoring Registrar Country:CZ
Sponsoring Registrar Phone:+420.420732954549
Name Server:NS1.SPACEWEB.RU
Name Server:NS2.SPACEWEB.RU
DNSSEC:Unsigned
This is a fantastic post,very well authored and easy to understand.Thanks so much for this
ReplyDeleteDomain Registration Bangalore
Linux Hosting Bangalore
This help me a lot :) I was under an attack, and just blocked the input with dst port 53 en drop the packets and my network is back again. This in RouterOS Thanks for the advice.
ReplyDeleteI am suffering from this... how do I block it? windows server 2008 r2
ReplyDeleteIn windows server disable recursion. If you need recursion than you shoul consider split dns design.
ReplyDeleteNo so good option: create iri.so dummy zone and add iri in global query blok list.
You should do split DNS. Outside should not be recursive.
Delete