FW: Preventing a particular type of nameserver abuse

Alessandro Vesely vesely at tana.it
Wed Apr 14 10:46:44 UTC 2021

On Wed 14/Apr/2021 00:37:22 +0200 Richard T.A. Neal wrote:
> Julien Salort wrote:
>> Reading this thread, I considered simply enabling the fail2ban named-refused jail, but they advise against it because it would end up blocking the victim rather than the attacker.
> I'm happy to be corrected by more knowledgeable people than me, but I don't necessarily agree with fail2ban's recommendation. By blocking traffic to the victim (which is what I'm doing by blocking traffic from the spoofed Source IP, because no inbound traffic means no outgoing replies) then I'm helping to protect the victim, or at least prevent my server being used in the reflection attack against that victim.

That behavior might expose the victim to some kind of spear DoS.  If the 
attackers know the victim is going to seek services from .myzone, they can 
spray the authoritative servers of .myzone with illegal requests apparently 
coming from the victim's resolvers.  That way, when the victim tries to resolve 
needed.service.myzone it will be DoSsed.


More information about the bind-users mailing list