FW: Preventing a particular type of nameserver abuse
Richard T.A. Neal
richard at richardneal.com
Tue Apr 13 22:42:28 UTC 2021
> In the particular case of the .sl denied queries, I don't think these are forged queries from the attack victim. Something else is going on here. We see queries from systems like these, almost exclusively consumer endpoints:
[snipped]
> It seems unlikely that someone is trying to attack those specific endpoints. Unless the attack is *very* widely distributed and they are actually attacking the ISP infrastructure. But in that case, this seems to be a simultaneous attack on almost every major ISP, which I find unlikely.
Yes, another individual & I were discussing this off-list today. We wonder if those queries are from malware on infected hosts that are trying to determine whether a given nameserver can be used in a distributed reflection attack? The source IP is not spoofed (because it wants to get the answer), so if it gets either "refused" or a timeout then it knows that nameserver can't be used in the reflection attack. But if it gets a response with data then it knows it *can* be used in the reflection attack.
A lot of the "bad clients" that I block are also domestic IP addresses, and I've yet to come up with any other explanation so am always open to any plausible causes.
Best,
Richard.
More information about the bind-users
mailing list