On Sat, Feb 11, 2017 at 6:33 PM, Andy Smith <andy@strugglers.net> wrote:If your nameserver offered recursion then it was most likely scanned
and added to a list of such servers, and is now being used to take
part in distributed denial of service attacks.I think I was wrong earlier. I did try from an external IP, but I used the wrong one.I tested again from a known alien IP, and I checked with a RecursiveNameserverTest on the 'Net. Both tests said I wasn't recursive. BIND's config is apparently doing what it said it was doing.
If the really large amount of traffic that is appearing to come
from relatively few sources at any given time,No. It's not a small number of sources. There are 650 or so /15s and /16s at AWS, all of which are blocked, and several thousand around the world. (most in the US, though) A lot of those look like single hosts with just a few hits, so I tend to leave them alone, but others are several hosts on the same network. Those make it to the packet filter. I don't like Facebook and Microsofy anyway :-)But they just keep coming. And 'most anybody has a bigger pipe than I do. I think I may just be experiencing my first DDoS attack. Getting through the Cisco router configuration language was a lot easier and a lot more fun.As best I can tell from the replies I've received today, I've done things about as right as can be done in my situation. Just wait until they get tired of whacking an old T1, I guess...Thanks much, all.--Glenn English