[dns-operations] what type of attack is this?

Steven Carr sjcarr at gmail.com
Fri Aug 9 08:09:33 UTC 2013


On 9 August 2013 02:51, Ken Peng <pyh2 at att.net> wrote:
> All of my six nameservers have been attacking, it's against a special
> domain.
>
> I grep from the last 50000 lines of log and get the attacking IPs as below.
> Can you tell what type of attack it is and how to stop this? Thanks.

Is there a reason why your nameservers are allowing those IP addresses
to query you? (and thus query waig8.com) i.e. are you supposed to be
running an open resolver on those nameservers? If not then the way to
"fix" the issue is to either disable recursion completely or restrict
recursion to only allowed clients/subnets. If they are supposed to be
providing open resolution then you might want to look at rate limiting
the clients or use something like RPZ to blacklist the domain from
being resolved, but if it is an open resolver then there isn't really
anything you can do to completely stop this.

Steve



More information about the dns-operations mailing list