freebsd ipfw question
Timothe Litt
litt at acm.org
Tue Feb 22 02:09:56 UTC 2022
On 21-Feb-22 18:36, Randy Bush wrote:
>> for some reason lost in time, i have the following in `/etc/ipfw.rules`
>> on a freebsd system running bind9
>>
>> add allow tcp from any to me 53 limit src-addr 1 setup
>> add deny tcp from any to me 53
Except that rule wouldn't help. I put the non-local connections into a
file, and executed:
sed zz.tmp -e's/^.*->//; s/:[0-9]\+ .*$//;' | sort | wc -l
sed zz.tmp -e's/^.*->//; s/:[0-9]\+ .*$//;' | sort -u | wc -l
I get the same number in both cases - 156. They're mostly IPv6
remotes. So while there are IPv6 address blocks that are making a lot
of connections, each address only makes one. So the rule (limiting to 1
connection/address) would have no effect.
Interestingly, they come from sequentially numbered hosts. Mostly in
2607:f8b0:4002::. (use 'less' instead of wc-l to see this). Whois says
the address block 2607:f8b0::/32 is assigned to google (AS15169).
Why these blocks are making connections - and how long they persist may
deserve some investigation.
They could be a DDOS - or a parallelized DNS survey.
If you decide they are abusive, the previous firewall rule isn't the
right mitigation.
It's important not to jump to conclusions...
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220221/de6cbf68/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220221/de6cbf68/attachment.sig>
More information about the bind-users
mailing list