FW: Preventing a particular type of nameserver abuse

Richard T.A. Neal richard at richardneal.com
Tue Apr 13 22:42:28 UTC 2021

> In the particular case of the .sl denied queries, I don't think these are forged queries from the attack victim. Something else is going on here. We see queries from systems like these, almost exclusively consumer endpoints:


> It seems unlikely that someone is trying to attack those specific endpoints. Unless the attack is *very* widely distributed and they are actually attacking the ISP infrastructure. But in that case, this seems to be a simultaneous attack on almost every major ISP, which I find unlikely.

Yes, another individual & I were discussing this off-list today. We wonder if those queries are from malware on infected hosts that are trying to determine whether a given nameserver can be used in a distributed reflection attack? The source IP is not spoofed (because it wants to get the answer), so if it gets either "refused" or a timeout then it knows that nameserver can't be used in the reflection attack. But if it gets a response with data then it knows it *can* be used in the reflection attack.

A lot of the "bad clients" that I block are also domestic IP addresses, and I've yet to come up with any other explanation so am always open to any plausible causes.


More information about the bind-users mailing list