On 10 Jun 2012, at 22:59, Kyle Creyts wrote:
Someone mentioned that as soon as the spoofed client is blocked, that
a new spoofed client is used... This behavior seems... strange.
I did and I was wrong.
My logs tended to have a few hundred entries at a time for the same
(spoofed?) IP address. So as soon as I blackholed the last IP address
in the log file, entries for another would be appended. At 4am and
there's a caffeine deficit, this looks like a new client has
immediately popped up to replace the one that's just been nuked. In
fact, the "new" IP address was already there and its queries were lost
amongst the noise of the other 100+ addresses that were firing crap at
the name server.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
