Michael Galea via talk wrote:
I am experiencing what I believe is a DNS amplification attack on my bind9 DNS server.
I'm seeing very of the following on different IPs 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ [1au] ANY? USADF.GOV. (38)
My server responds 20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 Refused- 0/0/1 (38)
I imagine the IPs are spoofed.
I agree with the diagnosis, but IMHO it might be better to configure your nameserver not to respond at all to such queries, especially as anything you emit at all is likely going to a victim of an attack. Internet-exposed DNS servers should really only respond to queries in domains for which they're authoritive. Recursive servers should be kept private enough to respond only to their local users. Disclaimer: it's been years since I ran nameservers for a midsized ISP and had to be on top of all this. -- Anthony de Boer