lot of 'ripe.net IN ANY +ED' queries
Ondrej.Caletka at cesnet.cz
Mon Jul 23 14:42:11 UTC 2012
Dne 23.7.2012 15:09, Marek Salwerowicz napsal(a):
> BTW - is this attack any new kind of virus/spyware or sth ?
Actually, I think these queries to ripe.net ANY with EDNS0 are caused by
some common malware. My servers are receiving these from time to time
and complaining to a person responsible for source IP address is enough
to stop it.
So in this case, the source address is probably not spoofed. The only
question is: Why is the malware doing it?
I use linux netfilter's hashlimit target to limit queries to reasonable
rate, with a special lower rate for ANY-type queries. I use this
iptables matcher to identify incoming query type:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5563 bytes
Desc: Elektronick�� podpis S/MIME
More information about the bind-users