How can I tell in the log if a query was successful or refused due to recursion?
Tony Toews
ttoews at telusplanet.net
Thu Dec 15 04:38:04 UTC 2005
Mark Andrews <Mark_Andrews at isc.org> wrote:
> It's a recursive DNS DDoS amplification attack. The client's
> address is forged. It is depending on named to amplify the
> traffic. The actual target is 216.18.224.133.
Yeah, I can't ignore these like I would spam attempts to non existent addresses.
Bind is responding to the spoofed IP addresses by sending traffic to those spoofed IP
addresses thus bothering the heck out of them.
Spam to non existent email addresses just means the mail server gets the header data
and sends back the standard refusal message back down the connection to the system
attempting to send spam to my system.
I will talk to the upstream provider tomorrow but I don't know if there's anythnig I
can do.
Already in about nine hours my BIND log file is sitting at 550 kb.
Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
More information about the bind-users
mailing list