lot of 'ripe.net IN ANY +ED' queries
Ondřej Caletka
Ondrej.Caletka at cesnet.cz
Mon Jul 23 14:42:11 UTC 2012
Dne 23.7.2012 15:09, Marek Salwerowicz napsal(a):
> BTW - is this attack any new kind of virus/spyware or sth ?
Actually, I think these queries to ripe.net ANY with EDNS0 are caused by
some common malware. My servers are receiving these from time to time
and complaining to a person responsible for source IP address is enough
to stop it.
So in this case, the source address is probably not spoofed. The only
question is: Why is the malware doing it?
I use linux netfilter's hashlimit target to limit queries to reasonable
rate, with a special lower rate for ANY-type queries. I use this
iptables matcher to identify incoming query type:
https://github.com/oskar456/xt_dns
Cheers,
Ondřej Caletka,
CESNET, z.s.p.o.
http://www.ces.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5563 bytes
Desc: Elektronick�� podpis S/MIME
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120723/e0e9a273/attachment.bin>
More information about the bind-users
mailing list