Dne 23.7.2012 15:09, Marek Salwerowicz napsal(a): > BTW - is this attack any new kind of virus/spyware or sth ?
Actually, I think these queries to ripe.net ANY with EDNS0 are caused by some common malware. My servers are receiving these from time to time and complaining to a person responsible for source IP address is enough to stop it. So in this case, the source address is probably not spoofed. The only question is: Why is the malware doing it? I use linux netfilter's hashlimit target to limit queries to reasonable rate, with a special lower rate for ANY-type queries. I use this iptables matcher to identify incoming query type: https://github.com/oskar456/xt_dns Cheers, Ondřej Caletka, CESNET, z.s.p.o. http://www.ces.net
smime.p7s
Description: Elektronický podpis S/MIME
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
