On 21-Feb-22 18:36, Randy Bush wrote:
for some reason lost in time, i have the following in `/etc/ipfw.rules` on a freebsd system running bind9add allow tcp from any to me 53 limit src-addr 1 setup add deny tcp from any to me 53
Except that rule wouldn't help. I put the non-local connections into a file, and executed:
sed zz.tmp -e's/^.*->//; s/:[0-9]\+ .*$//;' | sort | wc -l sed zz.tmp -e's/^.*->//; s/:[0-9]\+ .*$//;' | sort -u | wc -lI get the same number in both cases - 156. They're mostly IPv6 remotes. So while there are IPv6 address blocks that are making a lot of connections, each address only makes one. So the rule (limiting to 1 connection/address) would have no effect.
Interestingly, they come from sequentially numbered hosts. Mostly in 2607:f8b0:4002::. (use 'less' instead of wc-l to see this). Whois says the address block 2607:f8b0::/32 is assigned to google (AS15169).
Why these blocks are making connections - and how long they persist may deserve some investigation.
They could be a DDOS - or a parallelized DNS survey.If you decide they are abusive, the previous firewall rule isn't the right mitigation.
It's important not to jump to conclusions... Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
