-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, 2021-04-13 at 22:42 +0000, Richard T.A. Neal wrote:
> Yes, another individual & I were discussing this off-list today. We
> wonder if those queries are from malware on infected hosts that are
> trying to determine whether a given nameserver can be used in a
> distributed reflection attack? The source IP is not spoofed (because
> it wants to get the answer), so if it gets either "refused" or a
> timeout then it knows that nameserver can't be used in the reflection
> attack. But if it gets a response with data then it knows it *can* be
> used in the reflection attack.

That makes sense, but in that case the malware is badly written (what a
surprise). In 28 hours a single dns server here saw 1182 such queries
from 80.2.150.110 = cpc99574-brnt1-2-0-cust621.4-2.cable.virginm.net.

I am now using the equivalent of fail2ban to firewall those clients.

-----BEGIN PGP SIGNATURE-----

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYHY0yhUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsEkYwCfT3lTQO8NIdgSkMvAS03QmrnixiUA
n0IYWwS3qImFMByQzfUbWhK1v850
=D55z
-----END PGP SIGNATURE-----


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to