FW: Preventing a particular type of nameserver abuse
Carl Byington
carl at byington.org
Wed Apr 14 00:18:29 UTC 2021
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Tue, 2021-04-13 at 22:42 +0000, Richard T.A. Neal wrote:
> Yes, another individual & I were discussing this off-list today. We
> wonder if those queries are from malware on infected hosts that are
> trying to determine whether a given nameserver can be used in a
> distributed reflection attack? The source IP is not spoofed (because
> it wants to get the answer), so if it gets either "refused" or a
> timeout then it knows that nameserver can't be used in the reflection
> attack. But if it gets a response with data then it knows it *can* be
> used in the reflection attack.
That makes sense, but in that case the malware is badly written (what a
surprise). In 28 hours a single dns server here saw 1182 such queries
from 80.2.150.110 = cpc99574-brnt1-2-0-cust621.4-2.cable.virginm.net.
I am now using the equivalent of fail2ban to firewall those clients.
-----BEGIN PGP SIGNATURE-----
iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYHY0yhUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsEkYwCfT3lTQO8NIdgSkMvAS03QmrnixiUA
n0IYWwS3qImFMByQzfUbWhK1v850
=D55z
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list