New type of DDoS? Anyone saw it?

bert hubert bert.hubert at
Mon May 16 19:41:44 UTC 2016

On Mon, May 16, 2016 at 09:20:17PM +0200, Marek Królikowski wrote:
> Hello
> I just call to one of the client who do this DDoS and he confirm, he use UBI
> devices....
> Anyone know how to block all AAAA query like this: "query 331.206.372.214 IN
> AAAA" with random AAA.XXX.YYY.ZZZ address?

Marek, I don't know if BIND does this natively, but the following dnsdist
statement implements this:

addAction(RegexRule("^[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}$"), DropAction())

If you want you could also do:

addAction(AndRule{QTypeRule(pdns.AAAA), RegexRule("^[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}$")}, DropAction())

Which limits it to AAAA. 

The only other things you need to do are setACL() so dnsdist allows access
to the right IP addresses and newServer("") to set the IP address
of your actual BIND server.

This would also get you a whole bunch of cool statistics on how well your
server is doing. For more on dnsdist, see


More information about the bind-users mailing list