Re: [Sshguard-users] DNS exploit blocking?

[Henry Y. <he...@Ae...>]

On Fri, Apr 12, 2013 at 11:07:45AM +0100, Paco Hope wrote:
> 12-Apr-2013 21:49:57.806 security: client 69.197.42.102#43120 (isc.org): query (cache) 'isc.org/ANY/IN' denied
> 
> A bit of research suggests that this is probably logged when someone is
> trying to exploit this vulnerability:
> https://www.isc.org/software/bind/advisories/cve-2012-5166

The queries against isc.org are almost certainly part of the world-wide
DDoS DNS amplification attack (see cloudfare, spamhaus, etc.).

Although sshguard could be used to block these, it's better to make
sure your DNS server doesn't respond to these at all; the attack
isn't against your DNS server but rather against the system whose
IP address to which your server would otherwise respond.