Hello,
We are having slowly increasing dns requests from our customer zones all asking
mXX.krebson.ru. I think this is a DNS amplification attack.
And source zones/IP addresses are different but sending same requests like
below.
[cid:ecee1d77-4e4a-4661-b415-32efff6013c7]
Most of them are rate
Are you an open recursor? If the answer is no, you should not face any
amplifications attacks.
If you are an open recursor, the best solution is to restrict which IP
addresses are allowed to access your recursor.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
th
Hi,
No, I have an access list that allows only our ISP zones.
BR, Nyamka
From: m...@at.encryp.ch
Sent: Tuesday, March 28, 2023 3:40 PM
To: Nyamkhand Buluukhuu ; bind-users@lists.isc.org
Subject: Re: Bind dns amplification attack
Are you an open recursor? If t
On 28.03.23 16:04, Nyamkhand Buluukhuu wrote:
No, I have an access list that allows only our ISP zones.
zones? access lists are meant to limit clients.
how do your access limits look like?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-m
> On 28 Mar 2023, at 09:33, Nyamkhand Buluukhuu wrote:
>
> Hello,
>
> We are having slowly increasing dns requests from our customer zones all
> asking mXX.krebson.ru. I think this is a DNS amplification attack.
> And source zones/IP addresses are different but sending same requests like
>
More likely, it’s a malware used to do a targeted attack rather than insecure
routers.
Also why not both? ;)
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 28. 3. 2023
On 28.03.23 18:48, Nyamkhand Buluukhuu wrote:
Like below in named.conf:
acl recclients {
43.228.128.2/32;
202.70.32.17/32;
103.29.147.0/29;
103.99.103.0/24; }
allow-recursion { recclients; };
Great, this means that only clients with those IP addresses can query
y
On 28. 03. 23 14:30, Matus UHLAR - fantomas wrote:
On 28.03.23 18:48, Nyamkhand Buluukhuu wrote:
Like below in named.conf:
acl recclients {
43.228.128.2/32;
202.70.32.17/32;
103.29.147.0/29;
103.99.103.0/24; }
allow-recursion { recclients; };
Great, this means th
On 3/28/23 6:30 AM, Matus UHLAR - fantomas wrote:
Great, this means that only clients with those IP addresses can query
your server for non-local information.
I used to think the same thing.
Then I learned that I needed to also add similar configuration for
`allow-query {...};` and `allow-que
On 3/28/23 6:30 AM, Matus UHLAR - fantomas wrote:
Great, this means that only clients with those IP addresses can
query your server for non-local information.
On 28.03.23 10:16, Grant Taylor via bind-users wrote:
I used to think the same thing.
Then I learned that I needed to also add similar
On 3/28/23 10:48 AM, Matus UHLAR - fantomas wrote:
If your server has authroritative zones for internal use, yes, in such
case allow-query is good idea.
The server that I first set this on had a secondary copy of the root
zone for my systems use. I ended up adding additional restrictions to
On 3/28/23 10:48 AM, Matus UHLAR - fantomas wrote:
If your server has authroritative zones for internal use, yes, in
such case allow-query is good idea.
On 28.03.23 11:02, Grant Taylor via bind-users wrote:
The server that I first set this on had a secondary copy of the root
zone for my system
On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote:
Yes, this is one of the problem "authoritative zones for local use".
Authorizing the /zone/ for local use wasn't the problem. The problem
was that the world could get some of that zone's data from the query
cache even if they couldn't query
13 matches
Mail list logo
