Sorry, Andy. Here's another try, but to the list...
On Sat, Feb 11, 2017 at 8:40 PM, Glenn English <ghe2...@gmail.com> wrote: > > > On Sat, Feb 11, 2017 at 6:33 PM, Andy Smith <a...@strugglers.net> wrote: > > If your nameserver offered recursion then it was most likely scanned >> and added to a list of such servers, and is now being used to take >> part in distributed denial of service attacks. >> > > I think I was wrong earlier. I did try from an external IP, but I used the > wrong one. > > I tested again from a known alien IP, and I checked with a > RecursiveNameserverTest on the 'Net. Both tests said I wasn't recursive. > BIND's config is apparently doing what it said it was doing. > > >> If the really large amount of traffic that is appearing to come >> from relatively few sources at any given time, > > > No. It's not a small number of sources. There are 650 or so /15s and /16s > at AWS, all of which are blocked, and several thousand around the world. > (most in the US, though) A lot of those look like single hosts with just a > few hits, so I tend to leave them alone, but others are several hosts on > the same network. Those make it to the packet filter. I don't like Facebook > and Microsofy anyway :-) > > But they just keep coming. And 'most anybody has a bigger pipe than I do. > I think I may just be experiencing my first DDoS attack. Getting through > the Cisco router configuration language was a lot easier and a lot more > fun. > > As best I can tell from the replies I've received today, I've done things > about as right as can be done in my situation. Just wait until they get > tired of whacking an old T1, I guess... > > Thanks much, all. > > -- > Glenn English > >
