Is there a way to avoid miscreants?

[Alessandro Vesely]

On Sun 05/Apr/2026 19:06:47 +0200 Grant Taylor wrote:
> On 4/4/26 6:50 AM, Alessandro Vesely wrote:
> 
>> yesterday I got 124,646 queries in ten minutes, between 1:50 and 2:00 AM UTC, 
>> from 4,287 different IPs.  The top IP was 
>> 2001:19f0:5401:2e01:5400:3ff:fed1:9863 with 47,304 queries for 5,261 
>> subdomains, e.g. serverselect.tana.it,  nu.tana.it,  ll.tana.it, 
>> ghsms.tana.it,  dragoner.tana.it,  cinemathe.tana.it,  bluefire.tana.it, 
>> umk.tana.it,  tyche.tana.it,  tsvb.tana.it.
>
> I'm not sure how to filter for sub-domains.
>
> In the distant past I've  used iptables' L7 filtering capability to filter  out 
> queries for a fixed domain name.  In short, I constructed the hexadecimal 
> sequence at a position to look for and dropped the packet.


I don't think it's worth to bring up the kernel when named can do it.  Now I've 
rate limited nxdomains-per-second to 2.  (Perhaps I should've set 1.)


>> When I designed the firewall, I didn't bother monitoring UDP connections to 
>> port 53.  It seemed to me like named could take care of itself. However, I 
>> didn't configure any intrusion prevention features either. Are there any I 
>> should enable?
>
> response rate limiting (see Nick's reply).
>
> I'm surprised that the queries came from so many different (likely spoofed) 
> IPs.  It seems like if it was a reflected attack (to likely spoofed IPs) there 
> wouldn't be that many sources.  Was there any commonality to the source IPs? 
> Aggregate network?  ASN?


They taste like DoS attacks, only they're too weak to be effective.  I'd guess 
something like keeping fit for it.  I usually get swarms of connections to 443, 
without querying anything, from bunch of hosts of the same ISP, and cannot find 
any other explanation for this activity.


Best
Ale
--