-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 2021-04-13 at 22:42 +0000, Richard T.A. Neal wrote: > Yes, another individual & I were discussing this off-list today. We > wonder if those queries are from malware on infected hosts that are > trying to determine whether a given nameserver can be used in a > distributed reflection attack? The source IP is not spoofed (because > it wants to get the answer), so if it gets either "refused" or a > timeout then it knows that nameserver can't be used in the reflection > attack. But if it gets a response with data then it knows it *can* be > used in the reflection attack.
That makes sense, but in that case the malware is badly written (what a surprise). In 28 hours a single dns server here saw 1182 such queries from 80.2.150.110 = cpc99574-brnt1-2-0-cust621.4-2.cable.virginm.net. I am now using the equivalent of fail2ban to firewall those clients. -----BEGIN PGP SIGNATURE----- iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYHY0yhUcY2FybEBmaXZl LXRlbi1zZy5jb20ACgkQL6j7milTFsEkYwCfT3lTQO8NIdgSkMvAS03QmrnixiUA n0IYWwS3qImFMByQzfUbWhK1v850 =D55z -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
