lot of 'ripe.net IN ANY +ED' queries
bortzmeyer at nic.fr
Mon Jul 23 12:33:22 UTC 2012
On Mon, Jul 23, 2012 at 02:07:51PM +0200,
Marek Salwerowicz <marek_sal at wp.pl> wrote
a message of 30 lines which said:
> What I made now, is just to parse logs and block IPs that ask for
> ripe.net via ipfw.
As mentioned by Phil Mayers, the source IP address is forged. By
blocking this IP, you strike the victim.
> But is there any other solutions for that permanent attacks?
The operators of F-root use this on their FreeBSD machines to
rate-limit per source IP:
add pipe 1 udp from any to any 53 in
pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 400Kbit/s queue 3
add pipe 2 tcp from any to any 53 in
pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3
More information about the bind-users