Am 16.12.21 um 15:29 schrieb Andrew P.:
Reindl Harald <h.rei...@thelounge.net> writes:
Am 16.12.21 um 14:56 schrieb Andrew P.:
Reindl Harald <h.rei...@thelounge.net> writes:
Am 16.12.21 um 14:22 schrieb Andrew P.:
You don't understand what kind of blacklist I want; I want to blacklist the
domain name
being asked for, so I don't answer for it. I'm not looking to blacklist forged
IP addresses
of requestors (since we all know criminals don't use their own identities; they
use the
identities of innocent bystanders).
Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am not
a rootserver, and never will be.
AGAIN: you don't gain anything by not responding on a UDP protocol
because the client can't distinct no response and packet loss
AGAIN, the criminal DDoS attacker who's creating these forged requests isn't
looking for replies to themselves
but a legit client does while these attacks aren't successful at all
And you still haven't told me who would be a legitimate client making that
request for the
root domain from my nameserver. Frankly, I can't think of _anyone_ who should
be making
that request of my nameserver.
it's an example where you introduce more troubles than you solve
problems when things go bad
they're looking to abuse some poor victim. And the victim can't make the
attacker shut up
this attacker must be pretty dumb then because the ANY request makes
only sense if it get answered and the response is magnitudes larger then
the request
Not if the attacker has a huge bot-net to make the requests. He doesn't care
how much of
the bots' network capacity is used up, since the attacker isn't paying for it.
but it makes not sense playing that over your server instead blow the
traffic directly out
And, based on the same
philosophy as spam, if they hit enough name servers, some of them will be
insecure and provide the
full response
still pretty dumb not testing with a single ANY request if you would respond
I suspect they do know what they are doing, or they wouldn't be wasting their
time doing it
"know what they are doing" muste be also the reason why i have a ton of
hardcoded spam-subjects with specific typos for over 10 years and even
respond that i don't like the sobject on the MX
pretty sure the original idea was not hitting a specific real word but
after all that years a famous typo is a 100% spam sign
they don't waste their time but blow out every sort of nonsense in the
hope someone is hitted by it, your server is immune to what they try, no
problem exists
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
