24 Jul
2022
24 Jul
'22
11:50 p.m.
Hi,
If this is a DNS Amplification attack then 51.81.86.37 isn't the source
of the attack, they're the victim. The abuser is using a spoofed IP
address to get your DNS resolver to do the attacking for them. Your
resolver has accidentally become one of the mob hit men. I would
recommend you configure your resolver not to answer queries for domains
that aren't yours from the wide world.
Sadly, since your abuser is using a spoofed IP address, they won't know
you blocked them because the replies are going to the victim so this may
continue for some while after you make the config change, probably until
the perp gives up on this vivtim and hopefully checks you resolver is
still working before they move on to the next one.
Best regards,
Paul
On 24/07/2022 14:24, Ben via BitFolk Users wrote:
Hi,
Nmap shows you have port 53 open to the internet. This is a really bad
idea as it opens you up to DNS amplification attacks.
You need to block port 53 on your firewall ( Hugo has provided
iptables rules to do this in an earlier message, although you should
drop from everywhere not just this specific IP ). 9/10 opening port 53
to the internet is not a good move
Thanks,
Ben
On Sun, Jul 24, 2022 at 13:22, Hugo Mills via BitFolk Users
<users(a)mailman.bitfolk.com> wrote:
On Sun, Jul 24, 2022 at 01:05:55PM +0100, Ian
Bowden via BitFolk
Users wrote:
_______________________________________________
BitFolk Users mailing list<users(a)mailman.bitfolk.com>
You're subscribed as<paul(a)stimpsonfamily.co.uk>
Unsubscribe:<https://mailman.bitfolk.com/mailman/postorius/lists/users.m…
or send an email to<users-leave(a)mailman.bitfolk.com>
My VPS is receiving 250 connections per second
from an IP
51.81.86.37. This
started yesterday evening. I've no idea who
is doing it or why.
The logfiles are filling up as fast as I can delete them, but my
website
keeps falling over as all the disk space has been
filled.
Sample from syslog:
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#44122 (.): query (cache) './ANY/IN' denied
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#44122 (.): query (cache) './ANY/IN' denied
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
Jul 24 12:39:52 buddhismwithoutboundaries named[629]: client
51.81.86.37#17043 (.): query (cache) './ANY/IN' denied
The IP belongs to a cloud hosting service, OVH. I've written an
email to
abuse(a)ovh.ca, but I don't hold out much hope
of them sorting it out.
Does anyone have a suggestion for how I should proceed?
Ian.
At least for now, I'd suggest blocking (dropping) that IP address
with some firewall rules. I believe that iptables has been superseded
by bpfilter, but I've never used the latter. In case the iptables
interface still works, I'd do something like:
# iptables --append INPUT --source 51.81.86.37 --match tcp --dport 53
--jump DROP
# iptables --append INPUT --source 51.81.86.37 --match udp --dport 53
--jump DROP
This will block any traffic to the DNS port from that IP address.
Hugo.
--
Hugo Mills | The English language has the mot juste for every
hugo@... carfax.org.uk | occasion.
http://carfax.org.uk/ |
PGP: E2AB1DE4 |
_______________________________________________
BitFolk Users mailing list <users(a)mailman.bitfolk.com>
You're subscribed as <0x620x64(a)protonmail.com>
Unsubscribe:
<https://mailman.bitfolk.com/mailman/postorius/lists/users.mailman.bitfolk.com/>
or send an email to <users-leave(a)mailman.bitfolk.com>