Hi-- On Oct 17, 2012, at 11:17 AM, Manson, John wrote: > From time to time I notice a large number of queries like these to one of my > external dns servers: > > 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? > [ ... ] > 14:14:40.98668 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? > 14:14:40.99417 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? > > Does this rise to the level of a DDoS attack? > No NS record for this IP. > I blackhole IPs that behave like this.
That sure looks to be a DNS-based DDoS. Note that IP 121.10.105.66 is actually the victim being attacked-- the attackers forge that address and make queries which send lots of traffic to it. Blackholing them on your side will mitigate against the DDoS, but also break any legitimate traffic which they might send. (They can always use public DNS servers like 4.2.2.1 or 8.8.8.8 if they need to, though, so don't worry about legit requests from them too much.) Regards, -- -Chuck _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
