On Tue, Dec 19, 2017 at 09:28:28AM +0300, Mohammed Ejaz wrote: > > No this IP 212.76.76.18 doesn’t belongs to us and even not in a > trusted list of our DNS. After looking at my logs I noticed this IP > asked for this domain mumbai-m.site to which our name server denied > as shown in the below logs. Whereas our NCSA claiming that massive > malicious requests from our dns. Just I want to understand how is > this possible massive attack towards the internet for deny requests.
Those logs also show requests from another address in your own netblocks that's been assigned to a customer of Cyberia in Jeddah. That's in 212.119.73.32/27. Sten's explanation was almost certainly right with regards to the traffic seen or analysed by SA's national CERT. The traffic appearing to emanate from your DNS servers will be the result of the botnet or whatever it is making connections back to it's command and control host and spoofing the source addresses of the requests. The DNS resolvers can't tell the difference and reply to all the IPs a request appears to come from. Obviously you can't do anything about 212.76.76.18/32 directly, but if it's taken up this much time already then if I were in your position I'd just null route it at the border of Cyberia's network. Maybe notify Sahara Net that you've had to do it and forward them the same info SA's CERT gave you regarding their IP address. Meanwhile, one of your own customers (the one assigned that /27) need to hire an IT security consultant to clean their network. I'm assuming that log sample was just a quick cut and paste and there's actually a lot more. Search all the resolver logs for addresses in your IP space requesting that hostname and send all those customers a "your computer/network on IP $FOO has been compromised, you have X days to fix it or your connection will be suspended." Just warn your support staff before you do that because they're the ones who will receive the angry calls from confused accountants. Regards, Ben
signature.asc
Description: PGP signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users