Доброго времени. Где-то с неделю стал подтупливать кеширующий DNS.
Ну ладно, смотрю конфиги, мой косяк, сделал рекурсию и кеш для всех, исправил, запретил кеш, затем (перебдел) дополнительно записал параметры rate-limit, стало полегче и... в лог посыпалось
Хорошо, защитился при момощи ipset+iptables, запретил рекурсию.
~# tcpdump -vvvSi isp0 dst port 53 and dst host $NS_BIND_ADDR -c 20
tcpdump: listening on isp0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:21:05.558228 IP (tos 0x0, ttl 232, id 22036, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
15:21:05.632601 IP (tos 0x0, ttl 232, id 40723, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
15:21:05.645513 IP (tos 0x0, ttl 247, id 52066, offset 0, flags [DF], proto UDP (17), length 63)
95.105.98.204.dynamic.orsk.ufanet.ru.8096 > vl7.132.lan.domain: [bad udp cksum 0x0293 -> 0x02f4!] 52066+ A? z.www.game918.com. (35)
15:21:05.801877 IP (tos 0x0, ttl 242, id 22230, offset 0, flags [DF], proto UDP (17), length 71)
109.83.214.87.44799 > vl7.132.lan.domain: [bad udp cksum 0xa077 -> 0xa0e6!] 22230+ A? bpqlonvru.www.game918.com. (43)
15:21:05.801954 IP (tos 0x0, ttl 243, id 19795, offset 0, flags [DF], proto UDP (17), length 71)
cpe-75-80-83-78.bak.res.rr.com.59374 > vl7.132.lan.domain: [bad udp cksum 0x3208 -> 0x3277!] 19795+ A? pcwitazsh.www.game918.com. (43)
15:21:05.822325 IP (tos 0x0, ttl 232, id 1294, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
15:21:05.906370 IP (tos 0x0, ttl 232, id 51220, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
15:21:05.972093 IP (tos 0x0, ttl 242, id 36232, offset 0, flags [DF], proto UDP (17), length 67)
h82-143-136-142-static.e-wro.net.pl.11182 > vl7.132.lan.domain: [bad udp cksum 0x3bd1 -> 0x3c02!] 36232+ A? tdgwl.www.game918.com. (39)
15:21:06.003952 IP (tos 0x0, ttl 246, id 44064, offset 0, flags [DF], proto UDP (17), length 63)
118-168-32-173.dynamic.hinet.net.3071 > vl7.132.lan.domain: [bad udp cksum 0x606d -> 0x60ce!] 44064+ A? c.www.game918.com. (35)
15:21:06.021578 IP (tos 0x0, ttl 240, id 35922, offset 0, flags [DF], proto UDP (17), length 67)
customer.vtx1.net.46281 > vl7.132.lan.domain: [bad udp cksum 0x0e58 -> 0x0e89!] 35922+ A? gqtfr.www.game918.com. (39)
15:21:06.092896 IP (tos 0x0, ttl 232, id 61451, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
15:21:06.167148 IP (tos 0x0, ttl 232, id 24599, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
15:21:06.200939 IP (tos 0x0, ttl 242, id 4235, offset 0, flags [DF], proto UDP (17), length 73)
59.165.139.17.static-mumbai.vsnl.net.in.93 > vl7.132.lan.domain: [udp sum ok] 4235+ A? xfwkshytagu.www.game918.com. (45)
15:21:06.210645 IP (tos 0x0, ttl 248, id 6320, offset 0, flags [DF], proto UDP (17), length 71)
nc-67-239-176-25.dhcp.embarqhsd.net.13817 > vl7.132.lan.domain: [bad udp cksum 0xb238 -> 0xb2a7!] 6320+ A? rmxgzovna.www.game918.com. (43)
15:21:06.352838 IP (tos 0x0, ttl 232, id 48394, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
15:21:06.422357 IP (tos 0x0, ttl 232, id 32010, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
15:21:06.610145 IP (tos 0x0, ttl 232, id 36620, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
15:21:06.678114 IP (tos 0x0, ttl 232, id 20999, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
15:21:06.860525 IP (tos 0x0, ttl 232, id 10766, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
15:21:06.930314 IP (tos 0x0, ttl 232, id 38411, offset 0, flags [none], proto UDP (17), length 64)
bba117993.alshamil.net.ae.25345 > vl7.132.lan.domain: [no cksum] 10809+ [1au] ANY? isc.org. ar: . OPT UDPsize=4096 OK (36)
20 packets captured
64 packets received by filter
17 packets dropped by kernel
Вопрос такой. Это собственно зачем? Какая цель всего этого UPD-флуда?