Hello Marek, Do you have an IPv6 assignment? If not, there is really no need to even be resolving AAAA records. An overly simplistic description of a potential solution could be to just drop the incoming AAAA request via its hex value in much the same way rate limiting is done for the "any" query:
–hex-string '|0000FF0001|' I don't know off hand what the hex value for AAAA is but it should not be too hard to find. John Sent from Nine<http://www.9folders.com/> From: Marek Królikowski <ad...@wset.edu.pl> Sent: May 16, 2016 10:04 AM To: bind-users@lists.isc.org Subject: New type of DDoS? Anyone saw it? Hello, Today i saw my bind eat almost 90% of RAM when i check logs I find interesting DDoS on my DNS Cluster today: 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: 323.016.231.212 IN AAAA + (8X.1X0.Y.Y) 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: slip response to 8X.1X0.33.0/24 for . IN AAAA (00000000) 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: query: 235.326.031.064 IN AAAA + (8X.1X0.Y.Y) 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: drop response to 8X.1X0.33.0/24 for . IN AAAA (00000000) 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: query: 331.206.372.214 IN AAAA + (8X.1X0.Y.Y) 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: slip response to 8X.1X0.33.0/24 for . IN AAAA (00000000) Looks like IN AAAA query about wrong IPv4 address... i got almost 5000/sec Anyone saw this too? Best Regards Marek _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
