Is there a way to avoid miscreants?
Grant Taylor
gtaylor at tnetconsulting.net
Sun Apr 5 17:06:47 UTC 2026
On 4/4/26 6:50 AM, Alessandro Vesely wrote:
> Hi,
Hi,
> yesterday I got 124,646 queries in ten minutes, between 1:50 and 2:00 AM
> UTC, from 4,287 different IPs. The top IP was
> 2001:19f0:5401:2e01:5400:3ff:fed1:9863 with 47,304 queries for 5,261
> subdomains, e.g. serverselect.tana.it, nu.tana.it, ll.tana.it,
> ghsms.tana.it, dragoner.tana.it, cinemathe.tana.it, bluefire.tana.it,
> umk.tana.it, tyche.tana.it, tsvb.tana.it.
I'm not sure how to filter for sub-domains.
In the distant past I've used iptables' L7 filtering capability to
filter out queries for a fixed domain name. In short, I constructed
the hexadecimal sequence at a position to look for and dropped the packet.
I don't remember the domain name, but it had "pizza" in it.
I can probably look for old config if it will help.
But that was for a known domain name and you're being hit with thousands
of sub-domains.
I would consider standing up an empty zone for tanta.it. But I don't
know how much good that would do as the queries are still hitting your
system.
> When I designed the firewall, I didn't bother monitoring UDP connections
> to port 53. It seemed to me like named could take care of itself.
> However, I didn't configure any intrusion prevention features either.
> Are there any I should enable?
response rate limiting (see Nick's reply).
I'm surprised that the queries came from so many different (likely
spoofed) IPs. It seems like if it was a reflected attack (to likely
spoofed IPs) there wouldn't be that many sources. Was there any
commonality to the source IPs? Aggregate network? ASN?
--
Grant. . . .
unix || die
More information about the bind-users
mailing list