Bind dns amplification attack
Petr Špaček
pspacek at isc.org
Tue Mar 28 12:42:27 UTC 2023
On 28. 03. 23 14:30, Matus UHLAR - fantomas wrote:
> On 28.03.23 18:48, Nyamkhand Buluukhuu wrote:
>> Like below in named.conf:
>>
>> acl recclients {
>> 43.228.128.2/32;
>> 202.70.32.17/32;
>> 103.29.147.0/29;
>> 103.99.103.0/24; }
>>
>> allow-recursion { recclients; };
>
> Great, this means that only clients with those IP addresses can query
> your server for non-local information.
>
> So, your server should NOT be part of Amplification attack.
That would indeed suggest that the attack is coming from inside,
assuming the source IP address really is what it pretends to be (i.e.,
packets are indeed coming from your internal network and do not have
spoofed source IP).
Once you have confirmation the only thing left is to determine
infected/misbehaving client machines and clean it up locally.
Hopefully it helps a bit to narrow the area you have to search.
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list