{"id":1901,"date":"2012-08-31T17:02:23","date_gmt":"2012-08-31T08:02:23","guid":{"rendered":"http:\/\/www.lancard.com\/blog\/?p=1901"},"modified":"2025-03-12T11:29:49","modified_gmt":"2025-03-12T02:29:49","slug":"dns%e3%82%b5%e3%83%bc%e3%83%90%e3%81%b8%e3%81%aeany-%e3%81%aa%e9%80%a3%e7%b6%9a%e3%83%aa%e3%82%af%e3%82%a8%e3%82%b9%e3%83%88%e5%af%be%e5%bf%9c","status":"publish","type":"post","link":"https:\/\/www.lancard.com\/blog\/2012\/08\/31\/dns%e3%82%b5%e3%83%bc%e3%83%90%e3%81%b8%e3%81%aeany-%e3%81%aa%e9%80%a3%e7%b6%9a%e3%83%aa%e3%82%af%e3%82%a8%e3%82%b9%e3%83%88%e5%af%be%e5%bf%9c\/","title":{"rendered":"DNS\u30b5\u30fc\u30d0\u3078\u306eANY? . \u306a\u9023\u7d9a\u30ea\u30af\u30a8\u30b9\u30c8\u5bfe\u5fdc"},"content":{"rendered":"

\u7ba1\u7406\u3057\u3066\u308b\u30b5\u30fc\u30d0\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u5999\u306b\u9ad8\u307e\u3063\u3066\u3044\u3066\u306a\u3093\u3060\u30b3\u30ec\uff1f\u3068\u8abf\u67fb\u3057\u3066\u304a\u308a\u307e\u3057\u305f\u3089\u2026<\/p>\n

\r\n16:00:11.143581 IP (tos 0x0, ttl 233, id 62542, offset 0, flags [none], proto: UDP (17), length: 61) 184.154.183.56.5325 > 60.32.189.190.domain: [no cksum]  32583+ [1au] ANY? . ar: . OPT UDPsize=9000 (33)\r\n16:00:11.143674 IP (tos 0x0, ttl 233, id 62543, offset 0, flags [none], proto: UDP (17), length: 61) 184.154.183.56.5325 > 60.32.189.190.domain: [no cksum]  32583+ [1au] ANY? . ar: . OPT UDPsize=9000 (33)\r\n16:00:11.143738 IP (tos 0x0, ttl 233, id 62544, offset 0, flags [none], proto: UDP (17), length: 61) 184.154.183.56.5325 > 60.32.189.190.domain: [no cksum]  32583+ [1au] ANY? . ar: . OPT UDPsize=9000 (33)\r\n16:00:11.143823 IP (tos 0x0, ttl 233, id 62545, offset 0, flags [none], proto: UDP (17), length: 61) 184.154.183.56.5325 > 60.32.189.190.domain: [no cksum]  32583+ [1au] ANY? . ar: . OPT UDPsize=9000 (33)\r\n16:00:11.143898 IP (tos 0x0, ttl 233, id 62546, offset 0, flags [none], proto: UDP (17), length: 61) 184.154.183.56.5325 > 60.32.189.190.domain: [no cksum]  32583+ [1au] ANY? . ar: . OPT UDPsize=9000 (33)\r\n16:00:11.144194 IP (tos 0x0, ttl  64, id 26513, offset 0, flags [none], proto: UDP (17), length: 56) 60.32.189.190.domain > 184.154.183.56.44493: [bad udp cksum 5296!]  22153 ServFail- q: ANY? . 0\/0\/1 ar: . OPT UDPsize=4096 (28)\r\n16:00:11.144323 IP (tos 0x0, ttl  64, id 26514, offset 0, flags [none], proto: UDP (17), length: 56) 60.32.189.190.domain > 184.154.183.56.44493: [bad udp cksum 5296!]  22153 ServFail- q: ANY? . 0\/0\/1 ar: . OPT UDPsize=4096 (28)\r\n16:00:11.144432 IP (tos 0x0, ttl  64, id 26515, offset 0, flags [none], proto: UDP (17), length: 56) 60.32.189.190.domain > 184.154.183.56.44493: [bad udp cksum 5296!]  22153 ServFail- q: ANY? . 0\/0\/1 ar: . OPT UDPsize=4096 (28)\r\n16:00:11.144539 IP (tos 0x0, ttl  64, id 26516, offset 0, flags [none], proto: UDP (17), length: 56) 60.32.189.190.domain > 184.154.183.56.44493: [bad udp cksum 5296!]  22153 ServFail- q: ANY? . 0\/0\/1 ar: . OPT UDPsize=4096 (28)\r\n<\/pre>\n
\u304a\u304a\u3001DNS\u30b5\u30fc\u30d0\u3078\u306e\u6fc0\u3057\u3044\u9023\u7d9arequest\u3002\u6e2c\u3063\u305f\u3068\u3053\u308d50\u56de\/\u79d2\u4ee5\u4e0a\u306e\u30da\u30fc\u30b9\u3067\u8907\u6570\u7b87\u6240\u304b\u3089\u6295\u3052\u3066\u304d\u3066\u308b\u3088\u3046\u3067\u3057\u305f\u3002request\u5185\u5bb9\u3082 ANY? . \u3068\u3044\u3046\u3053\u3068\u3067\u3001\u5f0a\u793e\u306eDNS\u30b3\u30f3\u30c6\u30f3\u30c4\u30b5\u30fc\u30d0\u304c\u5fdc\u7b54\u3059\u308b\u5fc5\u8981\u304c\u306a\u3044(\u306e\u3067 ServFail\u3092\u8fd4\u3057\u3066\u3044\u308b)\u5185\u5bb9\u306e\u3088\u3046\u3067\u3059\uff08DNS amp\u306aDDoS\u306e\u30b7\u30ab\u30b1\u306b\u3057\u3066\u306f\u3001\u507d\u88c5\u3055\u308c\u305f\uff1frewuest\u5143IP\u304c\u8272\u3005\u3068\u5206\u6563\u3057\u3066\u3044\u3066\u8b0e\u3067\u3059\uff09\u3002<\/p>\n
\u8907\u6570\u7b87\u6240\u304b\u3089\u98db\u3093\u3067\u304f\u308b\u306e\u306fDNS\u30b5\u30fc\u30d0\u306e\u904b\u547d\u3067\u3059\u304b\u3089\u3057\u304b\u305f\u306a\u3044\u3068\u3057\u3066ServFail\u3092\u8fd4\u3059\u3060\u3051\u3067\u3082\u8ca0\u8377\u304c\u9ad8\u307e\u308a\u307e\u3059\u3057\u3001\u5e2f\u57df\u3082\u591a\u5c11\u57cb\u307e\u3063\u3066\u52ff\u4f53\u306a\u3044\u306e\u3067iptables\u3067\u30d5\u30a3\u30eb\u30bf\u3059\u308b\u3053\u3068\u306b\u3057\u307e\u3057\u305f\u3002<\/p>\n
\r\ntcpdump -n -vvv -X -s1500 -i eth1\r\n<\/pre>\n
\u306b\u3066\u3082\u3046\u5c11\u3057\u8a73\u3057\u304f\u30d1\u30b1\u30c3\u30c8\u306e\u5185\u5bb9\u3092\u62fe\u3063\u3066\u307f\u308b\u3068\u3002<\/p>\n
\r\n16:22:35.827460 IP (tos 0x0, ttl 238, id 36986, offset 0, flags [none], proto: UDP (17), length: 61) 97.93.19.246.hexarc > 60.32.189.190.domain: [no cksum]  61037+ [1au] ANY? . ar: . OPT UDPsize=9000 (33)\r\n   0x0000:  4500 003d 907a 0000 ee11 cd03 615d 13f6  E..=.z......a]..\r\n   0x0010:  3c20 bdbe 1ce5 0035 0029 0000 ee6d 0100  <......5.)...m..\r\n   0x0020:  0001 0000 0000 0001 0000 ff00 0100 0029  ...............)\r\n   0x0030:  2328 0000 0000 0000 0000 0000 00         #(...........\r\n16:22:35.944826 IP (tos 0x0, ttl 233, id 48921, offset 0, flags [none], proto: UDP (17), length: 61) 77.99.52.123.25697 > 60.32.189.190.domain: [no cksum]  6521+ [1au] ANY? . ar: . OPT UDPsize=9000 (33)\r\n   0x0000:  4500 003d bf19 0000 e911 96d9 4d63 347b  E..=........Mc4{\r\n   0x0010:  3c20 bdbe 6461 0035 0029 0000 1979 0100  <...da.5.)...y..\r\n   0x0020:  0001 0000 0000 0001 0000 ff00 0100 0029  ...............)\r\n   0x0030:  2328 0000 0000 0000 0000 0000 00         #(...........\r\n<\/pre>\n
\u306a\u5185\u5bb9\u3067\u3057\u305f\u306e\u3067\u3001iptables\u306b\u3066<\/p>\n
\r\niptables -t raw -I PREROUTING -p udp --destination-port 53 \\\r\n -m string --algo kmp --from 30 \\\r\n --hex-string \"|010000010000000000010000ff0001000029232800000000000000000000|\" \\\r\n -j DROP\r\n<\/pre>\n
\u3068IP\u30d1\u30b1\u30c3\u30c8\u306e30byte\u76ee\u304b\u3089\u306e\u30d1\u30bf\u30fc\u30f3\u306b\u6ce8\u76ee\u3057\u3066hex-string\u5f62\u5f0f\u3067\u6307\u5b9a\u3057\u3066\u307f\u307e\u3059\u3002
\n\u7d50\u679c\uff1a<\/p>\n
\r\n16:40:37.686016 IP (tos 0x0, ttl 238, id 51404, offset 0, flags [none], proto: UDP (17), length: 61) 97.93.19.246.32175 > 60.32.189.190.domain: [no cksum]  15020+ [1au] ANY? . ar: . OPT UDPsize=9000 (33)\r\n16:40:37.686094 IP (tos 0x0, ttl 238, id 51405, offset 0, flags [none], proto: UDP (17), length: 61) 97.93.19.246.32175 > 60.32.189.190.domain: [no cksum]  15020+ [1au] ANY? . ar: . OPT UDPsize=9000 (33)\r\n16:40:37.686176 IP (tos 0x0, ttl 238, id 51406, offset 0, flags [none], proto: UDP (17), length: 61) 97.93.19.246.32175 > 60.32.189.190.domain: [no cksum]  15020+ [1au] ANY? . ar: . OPT UDPsize=9000 (33)\r\n16:40:37.853317 IP (tos 0x0, ttl 234, id 23094, offset 0, flags [DF], proto: UDP (17), length: 69) 201.6.2.85.14604 > 60.32.189.190.domain: [udp sum ok]  11303% [1au] AAAA? ns.server.st. ar: . OPT UDPsize=4096 (41)\r\n16:40:37.854079 IP (tos 0x0, ttl  64, id 44172, offset 0, flags [none], proto: UDP (17), length: 110) 60.32.189.190.domain > 201.6.2.85.14604:  11303*- q: AAAA? ns.server.st. 0\/1\/1 ns: server.st. SOA[|domain]\r\n16:40:37.855922 IP (tos 0x0, ttl 234, id 23093, offset 0, flags [DF], proto: UDP (17), length: 69) 201.6.2.85.62860 > 60.32.189.190.domain: [udp sum ok]  15132% [1au] A? ns.server.st. ar: . OPT UDPsize=4096 (41)\r\n16:40:37.856467 IP (tos 0x0, ttl  64, id 44173, offset 0, flags [none], proto: UDP (17), length: 143) 60.32.189.190.domain > 201.6.2.85.62860:  15132*- q: A? ns.server.st. 1\/2\/2 ns.server.st. A 60.32.189.190 ns: server.st.[|domain]\r\n<\/pre>\n
ServFail\u3082\u8fd4\u3059\u3053\u3068\u306a\u304f\u3001\u8fd4\u3059\u3079\u304drequest\u306b\u3064\u3044\u3066\u306f\u6b63\u3057\u304f\u5fdc\u7b54\u3092\u8fd4\u3057\u3066\u307e\u3059\u306d\u3002
\n\u4f55\u4e8b\u3082\u5e73\u548c\u304c\u4e00\u756a\u3067\u3059(\u00b4\u30fc\uff40)<\/p>\n\"Facebook\"<\/a>\"twitter\"<\/a>\"linkedin\"<\/a>\"tumblr\"<\/a>\"mail\"<\/a>","protected":false},"excerpt":{"rendered":"
\u7ba1\u7406\u3057\u3066\u308b\u30b5\u30fc\u30d0\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u5999\u306b\u9ad8\u307e\u3063\u3066\u3044\u3066\u306a\u3093\u3060\u30b3\u30ec\uff1f\u3068\u8abf\u67fb\u3057\u3066\u304a\u308a\u307e\u3057\u305f\u3089\u2026 16:00:11.143581 IP (tos 0x0, ttl 233, id 62542, offset 0, fla […]<\/p>\n","protected":false},"author":18,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[76,6,1],"tags":[80,77,78,79],"class_list":["post-1901","post","type-post","status-publish","format-standard","hentry","category-security","category-server","category-1","tag-ddos","tag-dns","tag-iptables","tag-tcpdump"],"_links":{"self":[{"href":"https:\/\/www.lancard.com\/blog\/wp-json\/wp\/v2\/posts\/1901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lancard.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lancard.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lancard.com\/blog\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lancard.com\/blog\/wp-json\/wp\/v2\/comments?post=1901"}],"version-history":[{"count":17,"href":"https:\/\/www.lancard.com\/blog\/wp-json\/wp\/v2\/posts\/1901\/revisions"}],"predecessor-version":[{"id":1920,"href":"https:\/\/www.lancard.com\/blog\/wp-json\/wp\/v2\/posts\/1901\/revisions\/1920"}],"wp:attachment":[{"href":"https:\/\/www.lancard.com\/blog\/wp-json\/wp\/v2\/media?parent=1901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lancard.com\/blog\/wp-json\/wp\/v2\/categories?post=1901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lancard.com\/blog\/wp-json\/wp\/v2\/tags?post=1901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}