Interesting observation. I just did lookups on 4 recent (< 24 hrs ago) 'sl/ANY/IN' queries logged by our BIND and got:
2 Comcast cable IPs (hsd1.tx.comcast.net and hsd1.ma.comcast.net) 1 OVH Hosting IP (Montreal) 1 Afranet IP (Tehran!) The whois info for the OVH IP contains the line: Comment: Failover IPs On Tue, 13 Apr 2021 14:04:14 -0700 Carl Byington via bind-users <bind-users@lists.isc.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Tue, 2021-04-13 at 22:32 +0200, Julien Salort wrote: > > Reading this thread, I considered simply enabling the fail2ban > > named-refused jail, but they advise against it because it would end > > up > > blocking the victim rather than the attacker. > > In the particular case of the .sl denied queries, I don't think these > are forged queries from the attack victim. Something else is going on > here. We see queries from systems like these, almost exclusively > consumer endpoints: > > 142-197-133-231.res.spectrum.com. > mta-162-154-195-235.kya.rr.com. > mobile-166-173-63-176.mycingular.net. > prg03s05-in-f193.1e100.net. > prg03s05-in-f1.1e100.net. > pool-173-79-59-79.washdc.fios.verizon.net. > 174-30-51-96.wrbg.centurylink.net. > c-174-53-75-253.hsd1.va.comcast.net. > 174-081-062-250.res.spectrum.com. > cpe-174-106-58-62.ec.res.rr.com. > 192.sub-174-214-12.myvzw.com. > stop-looking-at-drifteds-ip.gov. > 252.243.53.179.d.dyn.claro.net.do. > ip184-186-26-40.no.no.cox.net. > dsl-187-193-200-41-dyn.prod-infinitum.com.mx. > dsl-189-178-58-206-dyn.prod-infinitum.com.mx. > customer-189-216-112-75.cablevision.net.mx. > 189.223.57.66.dsl.dyn.telnor.net. > 212-149-157-12.rev.dnaip.fi. > > It seems unlikely that someone is trying to attack those specific > endpoints. Unless the attack is *very* widely distributed and they are > actually attacking the ISP infrastructure. But in that case, this seems > to be a simultaneous attack on almost every major ISP, which I find > unlikely. > > > -----BEGIN PGP SIGNATURE----- > > iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYHYHGhUcY2FybEBmaXZl > LXRlbi1zZy5jb20ACgkQL6j7milTFsG2xwCeNRKi5df2TdmaWyJQJhGCraf1UIoA > n0zp1wmsrlc9yeDc/wXJCy8xBToC > =Ir5g > -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
