Russian Federation IP addresses banned
by Brian Hershey on Feb.22, 2009, under General Info
Just in case there were any valid readers coming from Russia, I must apologize. I have blocked all traffic coming from Russia, due to a spoofed DNS attack appearing to come from invest-pool.ru servers.
Also, in case you’re wondering who is affected by this block, here’s a CIDR list of the Russian Federation IP address space.
If the spoofed DNS attack appearing to emanate from invest-pool.ru stops, I’ll lift the ban.
Thanks for the info, Kiter. I figured it may be something like that, but had no way to be sure.
February 22nd, 2009 on 3:09 am
This attack doesn’t come from invest-pool.ru! They are the victims of a spoofed dns attack. Just make sure your dns is not responding to ‘. NS/IN’ requests and/or drop all incoming udp packets from the specific sources.
February 22nd, 2009 on 12:56 pm
I getting the same thing from the same source, and did the same thing – drop all of Russia. I already had {additional-from-cache no; recursion no;} set, but it’s just annoying.
table persist file “/etc/badhosts.ru” to any
block drop in quick on { $ext_if, $int_if } from
Of course this doesn’t stop the 3-4 queries a second.
March 5th, 2009 on 7:58 pm
I’m just curious, where did you get the list?
March 5th, 2009 on 11:35 pm
Hi Jeff,
You can get a CIDR list by country here:
http://www.countryipblocks.net/index.php
There are quite a few places online to find this information, but this is where I happened to get it from this time.
Brian
March 6th, 2009 on 5:22 am
Cool, thanks Brian.