I've noticed a lot of DNS requests for ./NS/IN lately, usually with a source IP in the 69.63 region used by Facebook’s Chinese servers:

A bit of research led to this post that taught me these are probably spoofed IP addresses conducting a DDoS on the Facebook servers. What happens is that the perpetrator sends the request to many DNS servers, seemingly coming from the victim — who then receives all the answers. In an improperly-configured DNS server allowing external requests for domains outside its jurisdiction, a fairly length reply is sent; correctly-configured servers send a “refused” message. Either way, the poor victim ends up having to deal with a lot of network traffic.

I wanted to block these. There is no circumstance in which an external address should be querying my server for the root domain, and I want to block this on principle. It is worth noting that my decision will have very little effect on the victim, who is being hit by thousands of responses from many servers.

The solution on the above-mentioned post is to use iptables with the u32 module. However, getting this to work on my Slicehost server proved too non-trivial for me to bother with, so I devised a simpler solution.

Having done some packet logging with iptables, I determined that the packets I wanted to drop were shorter than valid requests. This doesn’t come as a surprise: valid requests will contain one of my domain names whereas the DDoS packets were requests for the root domain “.”. This rule works for me:

…which drops packets up to length 51 (IP packet length, I think). The command line to get this rule to happen is below; you’ll need to adjust it to match your chain names, as I have a separate chain for processing inbound UDP packets like these:

You should check the 51-byte limit works for you, blocking all external root requests but nothing else. This isn’t foolproof and infallible, but it works for me for now. Facebook China, contact me to find out where to send the reward for lightening the load on your servers ;-)