"OLCESE, Marcelo Oscar." <[email protected]> writes: > Since 08 May to date I have many daily log of my BIND 9.7.3 > This one run on Debian 6. > > Any ideas?
It's a DDoS attack against the addresses you see as clients in the log. The source addresses are spoofed, and the idea is to make your name server return a larger reply to these addresses amplifying the attack. This won't work with modern bind versions. The attack might still be effective if it tricks you into blocking these source addresses, which most likely belong to some authoritative DNS servers somewhere. If you block them, then you're effectively blackholing any domains hosted there as seen from your resolvers. The best you can do is just ignoring these log entries. Such attacks were popular a couple of years ago. Didn't know they were still around. See e.g. http://markmail.org/message/ydiqnztzmz5qmusf Bjørn -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
