-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 2021-04-13 at 22:32 +0200, Julien Salort wrote: > Reading this thread, I considered simply enabling the fail2ban > named-refused jail, but they advise against it because it would end > up > blocking the victim rather than the attacker.
In the particular case of the .sl denied queries, I don't think these are forged queries from the attack victim. Something else is going on here. We see queries from systems like these, almost exclusively consumer endpoints: 142-197-133-231.res.spectrum.com. mta-162-154-195-235.kya.rr.com. mobile-166-173-63-176.mycingular.net. prg03s05-in-f193.1e100.net. prg03s05-in-f1.1e100.net. pool-173-79-59-79.washdc.fios.verizon.net. 174-30-51-96.wrbg.centurylink.net. c-174-53-75-253.hsd1.va.comcast.net. 174-081-062-250.res.spectrum.com. cpe-174-106-58-62.ec.res.rr.com. 192.sub-174-214-12.myvzw.com. stop-looking-at-drifteds-ip.gov. 252.243.53.179.d.dyn.claro.net.do. ip184-186-26-40.no.no.cox.net. dsl-187-193-200-41-dyn.prod-infinitum.com.mx. dsl-189-178-58-206-dyn.prod-infinitum.com.mx. customer-189-216-112-75.cablevision.net.mx. 189.223.57.66.dsl.dyn.telnor.net. 212-149-157-12.rev.dnaip.fi. It seems unlikely that someone is trying to attack those specific endpoints. Unless the attack is *very* widely distributed and they are actually attacking the ISP infrastructure. But in that case, this seems to be a simultaneous attack on almost every major ISP, which I find unlikely. -----BEGIN PGP SIGNATURE----- iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYHYHGhUcY2FybEBmaXZl LXRlbi1zZy5jb20ACgkQL6j7milTFsG2xwCeNRKi5df2TdmaWyJQJhGCraf1UIoA n0zp1wmsrlc9yeDc/wXJCy8xBToC =Ir5g -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users