Regardless if the source is spoofed or not, one should log it. Especially with this amazon abuse cloud, how can you report abuse, they want to have an ip address to be able to investigate if something originated from their network.
If you log 0/24 you might as well log no range at all. Am 30.11.20 um 11:12 schrieb Marc Roos: > Are newer version of bind still logging like this > > Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to > 3.9.41.0/24 > Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to > 35.177.154.0/24 > Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit responses to > 35.177.154.0/24 > Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit responses to > 3.9.41.0/24 > > I already reported, that it is not to smart to log 3.9.41.0/24, better > could be logged 3.9.41.100/24 so you know the offending ip there is nothing like an "offending ip" in case of dns-amplification which is usually what happens in context of RRL it's the forged destination of the attack you see and nothing else _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
