freebsd ipfw question

[Timothe Litt]

On 21-Feb-22 18:36, Randy Bush wrote:
>> for some reason lost in time, i have the following in `/etc/ipfw.rules`
>> on a freebsd system running bind9
>>
>>      add allow tcp from any to me 53 limit src-addr 1 setup
>>      add deny tcp from any to me 53

Except that rule wouldn't help.  I put the non-local  connections into a 
file, and executed:

sed zz.tmp -e's/^.*->//; s/:[0-9]\+ .*$//;' | sort      | wc -l
sed zz.tmp -e's/^.*->//; s/:[0-9]\+ .*$//;' | sort -u | wc -l

I get the same number in both cases - 156.  They're mostly IPv6 
remotes.  So while there are IPv6 address blocks that are making a lot 
of connections, each address only makes one.  So the rule (limiting to 1 
connection/address) would have no effect.

Interestingly, they come from sequentially numbered hosts. Mostly in 
2607:f8b0:4002::.  (use 'less' instead of wc-l to see this).  Whois says 
the address block 2607:f8b0::/32 is assigned to google (AS15169).

Why these blocks are making connections - and how long they persist may 
deserve some investigation.

They could be a DDOS - or a parallelized DNS survey.

If you decide they are abusive, the previous firewall rule isn't the 
right mitigation.

It's important not to jump to conclusions...

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220221/de6cbf68/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220221/de6cbf68/attachment.sig>