On Wed 14/Apr/2021 00:37:22 +0200 Richard T.A. Neal wrote:
Julien Salort wrote:
Reading this thread, I considered simply enabling the fail2ban named-refused
jail, but they advise against it because it would end up blocking the victim
rather than the attacker.
I'm happy to be corrected by more knowledgeable people than me, but I don't
necessarily agree with fail2ban's recommendation. By blocking traffic to the
victim (which is what I'm doing by blocking traffic from the spoofed Source IP,
because no inbound traffic means no outgoing replies) then I'm helping to
protect the victim, or at least prevent my server being used in the reflection
attack against that victim.
That behavior might expose the victim to some kind of spear DoS. If the
attackers know the victim is going to seek services from .myzone, they can
spray the authoritative servers of .myzone with illegal requests apparently
coming from the victim's resolvers. That way, when the victim tries to resolve
needed.service.myzone it will be DoSsed.
Best
Ale
--
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
