On 12/15/21 4:51 AM, Danilo Godec via bind-users wrote:
Hello,
Hi,
I'm noticing some unusual activity where 48 external IPs generated over 2M queries that have all been denied (just today):15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
I see this type of thing on occasion.
I'm guessing this is some sort of an reflection attack attempt, but I don't quite understand if these are the perpetrators or victims?
I'd bet a reasonable lunch that these are spoofed addresses of intended victims.
Would I be doing a bad thing by using fail2ban to block these IPs?
As others have indicated, there are likely side effects to blocking the IPs, be it with fail2ban or otherwise.
I'd suggest investigating response rate limiting. It seems like it can fairly gracefully help ensure that your server doesn't participate in a DoS reply attack while still playing fairly well with otherwise well behaving clients.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
