On Thu, Apr 18, 2002 at 04:57:59PM -0700, Paul Vixie wrote: <snip>
what these files are is a whole lot of lines that look like (broken by me):
18-Apr-2002 16:16:05.491 security: notice: \ denied update from [63.198.141.30].2323 for "168.192.in-addr.arpa" IN
by "a whole lot" i mean we've logged 3.3M of these in the last four hours.
I saw similar behavior on my little box (ns.bl.org) about a year or so ago, logs have long since rotated out, so I don't recall exactly when, but there was an IP somewhere in S. America trying to do a dyn update, something like one attempt every two seconds. I emailed the ISP, didn't get anything back, so I set up a black-hole in BIND and stuck that /24 in it. A few days later, it was back, from a different /24, but in the same /16, so I blackholed the /16. Then again, from another /16, but the same ISP, so I blackholed it. Haven't seen anything in a long time. -- Michael Parson mparson@bl.org