On Mon, May 16, 2016 at 05:03:01PM +0200, Marek Królikowski wrote: > Today i saw my bind eat almost 90% of RAM when i check logs I find > interesting DDoS on my DNS Cluster today: > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: 323.016.231.212 > IN AAAA + (8X.1X0.Y.Y)
This may be related to http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940 where there is talk of a Ubiquity exploit which is reported (elsewhere) to generate such queries. Bert > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: slip response to > 8X.1X0.33.0/24 for . IN AAAA (00000000) > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: query: 235.326.031.064 > IN AAAA + (8X.1X0.Y.Y) > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#38600: drop response to > 8X.1X0.33.0/24 for . IN AAAA (00000000) > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: query: 331.206.372.214 > IN AAAA + (8X.1X0.Y.Y) > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#51399: slip response to > 8X.1X0.33.0/24 for . IN AAAA (00000000) > > Looks like IN AAAA query about wrong IPv4 address... i got almost 5000/sec > Anyone saw this too? > > Best Regards > Marek > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users