目前我运行的DNS服务器(bind9)最近通过互联网处理来自客户端的查询我注意到来自所有不同地址的数百个查询看起来像这样(服务器IP被删除)
client 216.59.33.210#53: query: ripe.net IN ANY +ED (0.0.0.0) client 216.59.33.204#53: query: ripe.net IN ANY +ED (0.0.0.0) client 208.64.127.5#53: query: ripe.net IN ANY +ED (0.0.0.0) client 184.107.255.202#53: query: ripe.net IN ANY +ED (0.0.0.0) client 208.64.127.5#53: query: ripe.net IN ANY +ED (0.0.0.0) client 208.64.127.5#53: query: ripe.net IN ANY +ED (0.0.0.0) client 205.204.65.83#53: query: ripe.net IN ANY +ED (0.0.0.0) client 69.162.110.106#53: query: ripe.net IN ANY +ED (0.0.0.0) client 216.59.33.210#53: query: ripe.net IN ANY +ED (0.0.0.0) client 69.162.110.106#53: query: ripe.net IN ANY +ED (0.0.0.0) client 216.59.33.204#53: query: ripe.net IN ANY +ED (0.0.0.0) client 208.64.127.5#53: query: ripe.net IN ANY +ED (0.0.0.0)
有人可以解释为什么有这么多客户查询Ripe.net?
解决方法
当DNS服务器像这样公开配置时,其他人在DNS扩增攻击中滥用它.攻击者伪造DDOS目标的IP地址,并向像您这样的服务器发送许多小查询(通常是ANY类型).
Ripe.net使用ANY是因为它返回一个大的答案,因此放大了攻击者欺骗查询对目标的大小.