nanog mailing list archives
Re: swedish dns zone enumerator
From: Saku Ytti <saku () ytti fi>
Date: Thu, 2 Nov 2023 10:53:05 +0200
On Thu, 2 Nov 2023 at 10:32, Mark Andrews <marka () isc org> wrote:
You missed the point I was trying to make. While I think that that source is trying to enumerate some part of the namespace. NS queries by themselves don’t indicate an attack. Others would probably see the series of NS queries as a signature of an attack when they are NOT. There needs to be much more than that to make that conclusion.
I might be reading this wrong, but I don't think the point Randy was trying to make was 'NS queries are an attack', 'UDP packets are an attack' or 'IP packets are an attack' . I base this on the list of queries Randy decided to include as relevant to the thesis Randy was trying to make, instead of wholesale warning of IP, UDP or NS queries. -- ++ytti
Current thread:
- Re: swedish dns zone enumerator Amir Herzberg (Nov 01)
- <Possible follow-ups>
- Re: swedish dns zone enumerator Mark Andrews (Nov 01)
- Re: swedish dns zone enumerator Randy Bush (Nov 01)
- Re: swedish dns zone enumerator Mark Andrews (Nov 02)
- Re: swedish dns zone enumerator Saku Ytti (Nov 02)
- Re: swedish dns zone enumerator Randy Bush (Nov 02)
- Re: swedish dns zone enumerator Randy Bush (Nov 01)
- Re: swedish dns zone enumerator John McCormac (Nov 02)
- Re: swedish dns zone enumerator Stephane Bortzmeyer (Nov 02)
- Re: swedish dns zone enumerator Mark Andrews (Nov 02)