Hello I just call to one of the client who do this DDoS and he confirm, he use UBI devices.... Anyone know how to block all AAAA query like this: "query 331.206.372.214 IN AAAA" with random AAA.XXX.YYY.ZZZ address?
Best Regards Marek -----Original Message----- From: bert hubert [mailto:bert.hub...@netherlabs.nl] Sent: Monday, May 16, 2016 5:45 PM To: Marek Królikowski <ad...@wset.edu.pl> Cc: bind-users@lists.isc.org Subject: Re: New type of DDoS? Anyone saw it? On Mon, May 16, 2016 at 05:03:01PM +0200, Marek Królikowski wrote: > Today i saw my bind eat almost 90% of RAM when i check logs I find > interesting DDoS on my DNS Cluster today: > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: > 323.016.231.212 IN AAAA + (8X.1X0.Y.Y) This may be related to http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-U BNT/td-p/1562940 where there is talk of a Ubiquity exploit which is reported (elsewhere) to generate such queries. Bert > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: slip response to > 8X.1X0.33.0/24 for . IN AAAA (00000000) > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: query: > 235.326.031.064 IN AAAA + (8X.1X0.Y.Y) > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: drop response to > 8X.1X0.33.0/24 for . IN AAAA (00000000) > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: query: > 331.206.372.214 IN AAAA + (8X.1X0.Y.Y) > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: slip response to > 8X.1X0.33.0/24 for . IN AAAA (00000000) > > Looks like IN AAAA query about wrong IPv4 address... i got almost > 5000/sec Anyone saw this too? > > Best Regards > Marek > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
