Re: Spoofed my Bind 9.7.3 on Debian?
"OLCESE, Marcelo Oscar." <firstname.lastname@example.org> writes:
> Since 08 May to date I have many daily log of my BIND 9.7.3
> This one run on Debian 6.
> Any ideas?
It's a DDoS attack against the addresses you see as clients in the log.
The source addresses are spoofed, and the idea is to make your name
server return a larger reply to these addresses amplifying the attack.
This won't work with modern bind versions.
The attack might still be effective if it tricks you into blocking these
source addresses, which most likely belong to some authoritative DNS
servers somewhere. If you block them, then you're effectively
blackholing any domains hosted there as seen from your resolvers.
The best you can do is just ignoring these log entries.
Such attacks were popular a couple of years ago. Didn't know they were
still around. See e.g. http://markmail.org/message/ydiqnztzmz5qmusf