> In the particular case of the .sl denied queries, I don't think these are > forged queries from the attack victim. Something else is going on here. We > see queries from systems like these, almost exclusively consumer endpoints:
[snipped] > It seems unlikely that someone is trying to attack those specific endpoints. > Unless the attack is *very* widely distributed and they are actually > attacking the ISP infrastructure. But in that case, this seems to be a > simultaneous attack on almost every major ISP, which I find unlikely. Yes, another individual & I were discussing this off-list today. We wonder if those queries are from malware on infected hosts that are trying to determine whether a given nameserver can be used in a distributed reflection attack? The source IP is not spoofed (because it wants to get the answer), so if it gets either "refused" or a timeout then it knows that nameserver can't be used in the reflection attack. But if it gets a response with data then it knows it *can* be used in the reflection attack. A lot of the "bad clients" that I block are also domestic IP addresses, and I've yet to come up with any other explanation so am always open to any plausible causes. Best, Richard. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
