Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Sustained attack from 77.50.*

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Sustained attack from 77.50.*


Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] Sustained attack from 77.50.*
  • Date: Sat, 21 May 2016 14:05:34 -0600
  • Authentication-results: mx4.sourpuss.net; dmarc=none header.from=sourpuss.net
  • Dmarc-filter: OpenDMARC Filter v1.3.0 mx4.sourpuss.net 1BD512D3F4

Well crap... ok that makes it a lot more likely that someone has come up with a way to get around restricted access lists.


On 05/21/2016 11:05 AM, willfurnell AT me.com wrote:
I thought I was the only one! I've been having this attack on my T2
whitelisted resolver for around a week or so now, which was also
slightly confusing.

On 21/05/2016 17:37, Jeff Taylor wrote:
I have been getting hit by a sustained attack from 77.50.0.0/16 for the
past 5 hours, completely saturating my outgoing bandwidth.  This is
despite my T1 only allowing recursion from opennic servers, and my T2
only allowing whitelisted users, so I'm not exactly sure how they got
around that...

The attack queries are searching for ANY +E.  The domains being hit are
listed below, and they are just being cycled through continuously.

Use this line to completely block the range of IP's if you also see this
problem:
# iptables -I INPUT -s 77.50.0.0/16 -j DROP

067.cz
1x1.cz
defcon.org
energystar.gov
freeinfosys.com
globe.gov
gransy.com
gtml2.com
hccforums.nl
sandia.gov
sema.cz
svist21.cz
vlch.net





--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org


      


--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




Archive powered by MHonArc 2.6.19.

Top of Page