[Unbound-users] Random subdomain flood query
daisuke.higashi at gmail.com
Wed Apr 1 19:34:48 CEST 2015
2015-04-02 0:51 GMT+09:00 Daniel Ryslink <daniel.ryslink at dialtelecom.cz>:
> However, you can maintain local zone list in unbound automatically fairly
> easily, we have been doing it for over a year with minimal necessity of
> manual intervention. If you wish, have a look at the attached perl script.
unbound-bloomfilter's attack detection mechanisms implement almost
same thing as your script.
I used public suffix list (source code embedded, currently) to
determine depth of blocking domain
which corresponds to your "third_level_domains.conf".
Note that the bloomfilter itself is a way to reduce collateral damage
caused by filtering.
Of course to reduce damage caused by wrong (false positive) filtering and
to accept legitimate queries for the filtered domain
> The only other option is to persuade the users of the compromised machines
> to clean their systems.
More information about the Unbound-users