FW: Preventing a particular type of nameserver abuse
Alessandro Vesely
vesely at tana.it
Wed Apr 14 10:46:44 UTC 2021
On Wed 14/Apr/2021 00:37:22 +0200 Richard T.A. Neal wrote:
> Julien Salort wrote:
>
>> Reading this thread, I considered simply enabling the fail2ban named-refused jail, but they advise against it because it would end up blocking the victim rather than the attacker.
>
> I'm happy to be corrected by more knowledgeable people than me, but I don't necessarily agree with fail2ban's recommendation. By blocking traffic to the victim (which is what I'm doing by blocking traffic from the spoofed Source IP, because no inbound traffic means no outgoing replies) then I'm helping to protect the victim, or at least prevent my server being used in the reflection attack against that victim.
That behavior might expose the victim to some kind of spear DoS. If the
attackers know the victim is going to seek services from .myzone, they can
spray the authoritative servers of .myzone with illegal requests apparently
coming from the victim's resolvers. That way, when the victim tries to resolve
needed.service.myzone it will be DoSsed.
Best
Ale
--
More information about the bind-users
mailing list