Hello,
I'm noticing some unusual activity where 48 external IPs generated over
2M queries that have all been denied (just today):
15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0
194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
15-Dec-2021 00:01:42.023 securi
> Would I be doing a bad thing by using fail2ban to block these IPs?
That’s the question that only you can answer. The IP addresses are
not attacker’s but victim’s and you would be punishing those networks
by blocking access from them to your network.
Do you absolutely know that these IP address
with an error
message?
From: bind-users on behalf of Ondřej Surý
Sent: Wednesday, December 15, 2021 7:18 AM
To: Danilo Godec
Cc: bind-users@lists.isc.org
Subject: Re: Millions of './ANY/IN' queries denied
> Would I be doing a bad thing
: bind-users@lists.isc.org
> Subject: Re: Millions of './ANY/IN' queries denied
>
>> Would I be doing a bad thing by using fail2ban to block these IPs?
>
> That’s the question that only you can answer. The IP addresses are
> not attacker’s but victim’s and you would
er 15, 2021 7:18 AM
To: Danilo Godec
Cc: bind-users@lists.isc.org
Subject: Re: Millions of './ANY/IN' queries denied
Would I be doing a bad thing by using fail2ban to block these IPs?
That’s the question that only you can answer. The IP addresses are
not attacker’s but victim’s and
On Wed, 15 Dec 2021 12:51:19 +0100
Danilo Godec via bind-users wrote:
[...]
> 15-Dec-2021 00:01:42.127 security: info: client @0x7f96180b3fe0
> 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied
This can be common noise you'll see if any external source can get
queries to you
Am 15.12.21 um 15:01 schrieb John Kristoff:
Would I be doing a bad thing by using fail2ban to block these IPs?
This might be dangerous. If someone spoofs a well formed UDP query
that does what the above does and you block it, what if the spoofed
source is something you don't want blocked?
On 12/15/21 4:51 AM, Danilo Godec via bind-users wrote:
Hello,
Hi,
I'm noticing some unusual activity where 48 external IPs generated over
2M queries that have all been denied (just today):
15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0
194.48.217.14#59698 (.): view outsid
st of all known ISP
resolvers for endusers - game over, you blacklisted the world
From: bind-users on behalf of Reindl Harald
Sent: Wednesday, December 15, 2021 8:44 AM
To: bind-users@lists.isc.org
Subject: Re: Millions of './ANY/IN' queri
_
From: bind-users on behalf of Reindl Harald
Sent: Thursday, December 16, 2021 8:14 AM
To: bind-users@lists.isc.org
Subject: Re: Millions of './ANY/IN' queries denied
Am 16.12.21 um 14:04 schrieb Andrew P.:
> So you're claiming that legitimate resolvers would st
__
From: bind-users on behalf of Reindl Harald
Sent: Thursday, December 16, 2021 8:14 AM
To: bind-users@lists.isc.org
Subject: Re: Millions of './ANY/IN' queries denied
Am 16.12.21 um 14:04 schrieb Andrew P.:
So you're claiming that legitimate resolvers would st
lient
>
> don't get me wrong but you need to understand the implications of what you
> are doing - for DOS attacks "Response Rate Limiting" was invented and for
> non-DOS requests there isn't any valid reason to take action
>
>> ________________
_
From: bind-users on behalf of Reindl Harald
Sent: Thursday, December 16, 2021 8:14 AM
To: bind-users@lists.isc.org
Subject: Re: Millions of './ANY/IN' queries denied
Am 16.12.21 um 14:04 schrieb Andrew P.:
So you're claiming that legitimate resolvers would
Reindl Harald writes:
Am 16.12.21 um 14:22 schrieb Andrew P.:
>> You don't understand what kind of blacklist I want; I want to blacklist the
>> domain name
>> being asked for, so I don't answer for it. I'm not looking to blacklist
>> forged IP addresses
>> of requestors (since we all know crimin
You don't understand what kind of blacklist I want; I want to blacklist the
domain name
being asked for, so I don't answer for it. I'm not looking to blacklist forged
IP addresses
of requestors (since we all know criminals don't use their own identities; they
use the
identities of innocent byst
Am 16.12.21 um 14:56 schrieb Andrew P.:
Reindl Harald writes:
Am 16.12.21 um 14:22 schrieb Andrew P.:
You don't understand what kind of blacklist I want; I want to blacklist the
domain name
being asked for, so I don't answer for it. I'm not looking to blacklist forged
IP addresses
of reque
Reindl Harald writes:
>Am 16.12.21 um 14:56 schrieb Andrew P.:
>> Reindl Harald writes:
>> Am 16.12.21 um 14:22 schrieb Andrew P.:
You don't understand what kind of blacklist I want; I want to blacklist
the domain name
being asked for, so I don't answer for it. I'm not looking to
Am 16.12.21 um 15:29 schrieb Andrew P.:
Reindl Harald writes:
Am 16.12.21 um 14:56 schrieb Andrew P.:
Reindl Harald writes:
Am 16.12.21 um 14:22 schrieb Andrew P.:
You don't understand what kind of blacklist I want; I want to blacklist the
domain name
being asked for, so I don't answer f
Ondřej Surý wrote:
> FTR RRL will not help on this case. There’s no difference between
> response with TC and response with REFUSED.
Yes and no :-) RRL uses a mixture of "slip" (i.e. truncation) and dropping
responses, so it will attenuate REFUSED spam. (The documentatin is not
very clear about
19 matches
Mail list logo