Preventing a particular type of nameserver abuse
Carl Byington
carl at byington.org
Tue Apr 13 21:04:14 UTC 2021
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Tue, 2021-04-13 at 22:32 +0200, Julien Salort wrote:
> Reading this thread, I considered simply enabling the fail2ban
> named-refused jail, but they advise against it because it would end
> up
> blocking the victim rather than the attacker.
In the particular case of the .sl denied queries, I don't think these
are forged queries from the attack victim. Something else is going on
here. We see queries from systems like these, almost exclusively
consumer endpoints:
142-197-133-231.res.spectrum.com.
mta-162-154-195-235.kya.rr.com.
mobile-166-173-63-176.mycingular.net.
prg03s05-in-f193.1e100.net.
prg03s05-in-f1.1e100.net.
pool-173-79-59-79.washdc.fios.verizon.net.
174-30-51-96.wrbg.centurylink.net.
c-174-53-75-253.hsd1.va.comcast.net.
174-081-062-250.res.spectrum.com.
cpe-174-106-58-62.ec.res.rr.com.
192.sub-174-214-12.myvzw.com.
stop-looking-at-drifteds-ip.gov.
252.243.53.179.d.dyn.claro.net.do.
ip184-186-26-40.no.no.cox.net.
dsl-187-193-200-41-dyn.prod-infinitum.com.mx.
dsl-189-178-58-206-dyn.prod-infinitum.com.mx.
customer-189-216-112-75.cablevision.net.mx.
189.223.57.66.dsl.dyn.telnor.net.
212-149-157-12.rev.dnaip.fi.
It seems unlikely that someone is trying to attack those specific
endpoints. Unless the attack is *very* widely distributed and they are
actually attacking the ISP infrastructure. But in that case, this seems
to be a simultaneous attack on almost every major ISP, which I find
unlikely.
-----BEGIN PGP SIGNATURE-----
iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYHYHGhUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsG2xwCeNRKi5df2TdmaWyJQJhGCraf1UIoA
n0zp1wmsrlc9yeDc/wXJCy8xBToC
=Ir5g
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list