Millions of './ANY/IN' queries denied

[Reindl Harald]

Am 16.12.21 um 15:29 schrieb Andrew P.:
> Reindl Harald <h.reindl at thelounge.net> writes:
>> Am 16.12.21 um 14:56 schrieb Andrew P.:
>>> Reindl Harald <h.reindl at thelounge.net> writes:
>>> Am 16.12.21 um 14:22 schrieb Andrew P.:
>>>>> You don't understand what kind of blacklist I want; I want to blacklist the domain name
>>>>> being asked for, so I don't answer for it. I'm not looking to blacklist forged IP addresses
>>>>> of requestors (since we all know criminals don't use their own identities; they use the
>>>>> identities of innocent bystanders).
>>>>>
>>>>> Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am not a rootserver, and never will be.
>>>>
>>>> AGAIN: you don't gain anything by not responding on a UDP protocol
>>>> because the client can't distinct no response and packet loss
>>>
>>> AGAIN, the criminal DDoS attacker who's creating these forged requests isn't looking for replies to themselves
>>
>> but a legit client does while these attacks aren't successful at all
> 
> And you still haven't told me who would be a legitimate client making that request for the
> root domain from my nameserver. Frankly, I can't think of _anyone_ who should be making
> that request of my nameserver.

it's an example where you introduce more troubles than you solve 
problems when things go bad

>>> they're looking to abuse some poor victim. And the victim can't make the attacker shut up
>>
>> this attacker must be pretty dumb then because the ANY request makes
>> only sense if it get answered and the response is magnitudes larger then
>> the request
> 
> Not if the attacker has a huge bot-net to make the requests. He doesn't care how much of
> the bots' network capacity is used up, since the attacker isn't paying for it. 

but it makes not sense playing that over your server instead blow the 
traffic directly out

> And, based on the same
> philosophy as spam, if they hit enough name servers, some of them will be insecure and provide the
> full response
still pretty dumb not testing with a single ANY request if you would respond

> I suspect they do know what they are doing, or they wouldn't be wasting their
> time doing it

"know what they are doing" muste be also the reason why i have a ton of 
hardcoded spam-subjects with specific typos for over 10 years and even 
respond that i don't like the sobject on the MX

pretty sure the original idea was not hitting a specific real word but 
after all that years a famous typo is a 100% spam sign

they don't waste their time but blow out every sort of nonsense in the 
hope someone is hitted by it, your server is immune to what they try, no 
problem exists