Millions of './ANY/IN' queries denied
Grant Taylor
gtaylor at tnetconsulting.net
Wed Dec 15 15:46:34 UTC 2021
On 12/15/21 4:51 AM, Danilo Godec via bind-users wrote:
> Hello,
Hi,
> I'm noticing some unusual activity where 48 external IPs generated over
> 2M queries that have all been denied (just today):
>
> 15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0
> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
I see this type of thing on occasion.
> I'm guessing this is some sort of an reflection attack attempt, but I
> don't quite understand if these are the perpetrators or victims?
I'd bet a reasonable lunch that these are spoofed addresses of intended
victims.
> Would I be doing a bad thing by using fail2ban to block these IPs?
As others have indicated, there are likely side effects to blocking the
IPs, be it with fail2ban or otherwise.
I'd suggest investigating response rate limiting. It seems like it can
fairly gracefully help ensure that your server doesn't participate in a
DoS reply attack while still playing fairly well with otherwise well
behaving clients.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211215/a22e7286/attachment.bin>
More information about the bind-users
mailing list