Re: OT misunderstood crackers
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, Jan 10, 2016 at 12:14:42PM -0700, Glenn English wrote:
> I'm a self-taught admin (aka mild newbie), and I don't understand why people would hit my DNS servers thousands of times.
>
> I've got a limiter in iptables ('recent' module) that blocks and logs when there are too many hits from one IP to my DNS servers (5 hits in 10 seconds, on non-recursive BIND slaves), and I see thousands of hits in my logs (logwatch reports) every morning, many spread all over a /24 or smaller -- crackers/kiddies for sure, I suspect.
>
> What are they trying to accomplish? How can they get root or useful info from many DNS queries? Or are they just massively stupid with too much time on their hands? Or am I?
Perhaps some miscreants are trying to use/using your DNS server for
DNS amplification attacks [1] (they use open DNS servers to multiply
their DDOS (distributed denial of service) attack force by spoofing
the sender's address in their request (the spoofed sender becomes the
victim)
But then, perhaps it's harmless, who knows.
[1] <https://www.us-cert.gov/ncas/alerts/TA13-088A>
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlaStYYACgkQBcgs9XrR2kYBSQCfS3GFGK7Zenm6C5BqZcnM6iFl
GnwAnAsrDYWn5gSKySsFj0i+X+aYCxhK
=hBhs
-----END PGP SIGNATURE-----
Reply to: