lot of 'ripe.net IN ANY +ED' queries

Ondřej Caletka Ondrej.Caletka at cesnet.cz
Mon Jul 23 14:42:11 UTC 2012

Dne 23.7.2012 15:09, Marek Salwerowicz napsal(a):
> BTW - is this attack any new kind of virus/spyware or sth ?

Actually, I think these queries to ripe.net ANY with EDNS0 are caused by
some common malware. My servers are receiving these from time to time
and complaining to a person responsible for source IP address is enough
to stop it.

So in this case, the source address is probably not spoofed. The only
question is: Why is the malware doing it?

I use linux netfilter's hashlimit target to limit queries to reasonable
rate, with a special lower rate for ANY-type queries. I use this
iptables matcher to identify incoming query type:


Ondřej Caletka,
CESNET, z.s.p.o.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5563 bytes
Desc: Elektronick�� podpis S/MIME
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120723/e0e9a273/attachment.bin>

More information about the bind-users mailing list