<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<div class="moz-cite-prefix">On 21-Feb-22 18:36, Randy Bush wrote:<br>
</div>
<blockquote type="cite" cite="mid:%3Cm2fsobokqo.wl-randy@psg.com%3E">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">for some reason lost in time, i have the following in `/etc/ipfw.rules`
on a freebsd system running bind9
add allow tcp from any to me 53 limit src-addr 1 setup
add deny tcp from any to me 53
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
<p>Except that rule wouldn't help. I put the non-local connections
into a file, and executed:</p>
<p>sed zz.tmp -e's/^.*->//; s/:[0-9]\+ .*$//;' | sort | wc
-l<br>
sed zz.tmp -e's/^.*->//; s/:[0-9]\+ .*$//;' | sort -u | wc -l</p>
<p>I get the same number in both cases - 156. They're mostly IPv6
remotes. So while there are IPv6 address blocks that are making a
lot of connections, each address only makes one. So the rule
(limiting to 1 connection/address) would have no effect.<br>
</p>
<p>Interestingly, they come from sequentially numbered hosts.
Mostly in 2607:f8b0:4002::. (use 'less' instead of wc-l to see
this). Whois says the address block 2607:f8b0::/32 is assigned to
google (AS15169).<br>
</p>
<p>Why these blocks are making connections - and how long they
persist may deserve some investigation. <br>
</p>
<p>They could be a DDOS - or a parallelized DNS survey.</p>
<p>If you decide they are abusive, the previous firewall rule isn't
the right mitigation. <br>
</p>
<p>It's important not to jump to conclusions...<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
<pre class="moz-quote-pre" wrap="">
</pre>
</body>
</html>