Hello, I did see a post (http://redd.it/2isn35) similar to this, but it doesn’t seem to be the same case.
I get some random queries, but the frequency is way to low to be an attempt to a DDOS/DOS attack. Also, I thought that a « good » DNS amplification should be querying existing records (to ensure a « larger » response), not random, guaranteed to always return « No such name » responses.
My traffic is usually quite low; I get those about once a minute, grouped in ~5 queries from the same IP (probably spoofed, not always the same, but frequently from the 8.0.7.0-8.0.6.255 range).
Some examples (domain has been changed to protect the innocent):
MZLUVOoN.MydOmAIn.Com (yes with randomized capitals)
qqevjfrviwzxll.mydomain.com
RnMFgaSIYZXl.mYDoMaiN.COm
winrar.mydomain.com
ocsinventory-ng.mydomain.com
2010cr0198.mydomain.com – this one does look like some attempt to a DDOS, because I just saw the exact same query coming from 3 different networks almost at the same time (just once from each, though).
So what are they? Do you guys get those too?
(my server accepts no recursion and answers to those all with « No such name ». I’m considering dropping the recurrent ips on the firewall, but if they are spoofed, it may do more harm than good).
thanks!
submitted by jsveiga
[link] [11 comments]
Powered by WPeMatico