Am Samstag, den 09.06.2012, 14:11 +0300 schrieb Kostas Zorbadelos: > The situation is similar but not the same as the one discribed here: > > https://isc.sans.edu/diary.html?storyid=13261 > > We used IPtables and the string module to match a specific signature of > the problematic queries and it worked quite well (in our attack case the > problematic queries had a very specific and simple pattern).
Mitigating this with snort looks much uglier than the beautiful and elegant iptables counter measure posted in this list. Not sure how it holds up under load, though. Since the attacker uses fixed patterns, he/she seems to be a script kiddy, and there is a good chance that the TTL can be used to identify his/her packets. My approach would be to check what TTLs the packets have vs. those from your clients and see whether you can filter based on that. Rudi
