What is this hacker trying to achieve? [duplicate]

domain-name-system bind named-conf

It's hard to say definitively, but at first glance it looks like it could be an attempted reflection attack (or a test for the viability of using your server in such an attack).

The idea behind such an attack is sending queries over UDP with a spoofed source IP address to an open resolver server to generate traffic to the attack target (the host that actually has the spoofed source IP), using a query that is known to generate a large response to get high amplification of the attacker's bandwidth needed to send the queries.

Assuming that is the case, the implications are:

  • You are not the actual target, rather intended to just "lend" your bandwidth. The source address is who is supposedly being attacked (or who is probing to check if your server could be used for such purposes).
  • It didn't actually work. As you are denying these requests, the responses are not big like the actual response for . ANY would be. (Presumably from not allow recursion in the first place, which is good).

Regarding your feeling that it seems legitimate because one of the source IP addresses is 1.1.1.1, I would say that my instinctive reaction is the exact opposite. Seeing 1.1.1.1 as a source address for this query immediately indicates that something strange is going on:

  • We know that 1.1.1.1 is anycast, which makes it an awful idea to initiate queries from this address. If you respond to a query from 1.1.1.1 your response will be routed to the closest (in a BGP sense) 1.1.1.1 instance, not the one that generated the query.
  • Even ignoring the choice of source address, why would the Cloudflare public resolver ever be sending a query to your server for . ANY? You are not the authority for . and they also have no reason to forward queries to you.

That is, I think you are correct that these queries probably are "up to no good".
Now, whether it's a good idea to block traffic from these addresses, I'm not so sure. The issue here is that it opens up for easy DoS attacks. Someone can use this blocking behavior of yours to make your server stop responding to queries from arbitrary addresses, which could be abused to deny legitimate traffic.

Related

yum list installed including version of all installed packages CentOS 5.4
Install godaddy ssl certificate on nginx, pem, bundle, crt
virt-manager Spice copy paste doesn't work
Active Backup for Business external VM
How do I view a docker image's console trace, in Kubernetes Dashboard?
Email sending issue with “localhost.localdomain”
can one order the elements of a finite group such that their product is equal to the first element in the list?
The limit and asymptotic analysis of $a_n^2 - n$ from $a_{n+1} = \frac{a_n}{n} + \frac{n}{a_n}$
Does $SL_2(K) \simeq SL_2(L)$ imply $K\simeq L$?
Is there an easy way to find the sign of the determinant of an orthogonal matrix?
$\int_{- \infty}^{\infty} \frac{f(x)}{1+\exp{g(x)}}dx=\int_{0}^{\infty} f(x) dx$ for $f(x)=f(-x),~g(x)=-g(-x)$ - are there other formulas like that?
Mathematical Explanation of Mathematica Summation ${\sum_{n=1}^{\infty}\frac{(2n-1)!}{(2n+2)!}\zeta(2n)}$