Por três dias consecutivos, estou tendo quatro ou cinco consultas exclusivas de servidores sendo negadas pelo meu firewall csf, que são renomeadas no extrato a seguir que recebi do meu log como "www.example1.com", " www.example2.com "," ns1.example3.com "," ns2.example3.com ". Minha pergunta é se eu tenho que considerá-los como ataques? Em caso afirmativo, preciso me preocupar em aumentar minhas medidas de segurança, apesar do firewall bloquear as consultas?
Por favor, note que IPs e portas similares são nomeadas com as mesmas letras.
Jul 22 12:24:00 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=blahblahblah SRC=ZZZ.ZZZ.Z.ZZZ DST=25$
Jul 22 12:24:00 server named[xxxx]: client aaa.aa.aaa.a#aaaaa: query (cache) 'www.example1.com/A/IN' denied
Jul 22 12:24:00 server named[xxxx]: client aaa.aa.aaa.a#bbbbb: query (cache) 'www.example2.com/A/IN' denied
Jul 22 12:24:00 server named[xxxx]: client ccc.ccc.ccc.ccc#ddddd: query (cache) 'ns2.example3.com/A/IN' denied
Jul 22 12:24:03 server named[xxxx]: client ddd.dd.ddd.d#eeeee: query (cache) 'ns1.example3.com/A/IN' denied
Jul 22 12:24:03 server named[xxxx]: client ddd.dd.ddd.d#fffff: query (cache) 'ns2.example3.com/A/IN' denied
Jul 22 12:24:03 server named[xxxx]: client ddd.dd.ddd.d#ggggg: query (cache) 'ns2.example3.com/A/IN' denied
Jul 22 12:24:03 server named[xxxx]: client ddd.dd.ddd.d#hhhhh: query (cache) 'ns1.example3.com/A/IN' denied
Jul 22 12:24:03 server named[xxxx]: client iii.i.i.ii#jjjjj: query (cache) 'ns1.example3.com/A/IN' denied
Jul 22 12:24:03 server named[xxxx]: client iii.i.i.ii#jjjjj: query (cache) 'www.example2.com/A/IN' denied
Jul 22 12:24:04 server named[xxxx]: client kkk.kkk.kkk.kk#lllll: query (cache) 'www.example1.com/A/IN' denied
Jul 22 12:24:05 server named[xxxx]: client kkk.kkk.kkk.kk#mmmmm: query (cache) 'www.example2.com/A/IN' denied
Jul 22 12:24:06 server named[xxxx]: client nnn.nn.nnn.n#ooooo: query (cache) 'www.example2.com/A/IN' denied
Jul 22 12:24:06 server named[xxxx]: client ppp.pp.ppp.p#qqqqq: query (cache) 'ns2.example3.com/A/IN' denied
Jul 22 12:24:06 server named[xxxx]: client ppp.pp.ppp.p#rrrr: query (cache) 'ns1.example3.com/A/IN' denied
Jul 22 12:24:06 server named[xxxx]: client nnn.nn.nnn.n#sssss: query (cache) 'www.example2.com/A/IN' denied
Jul 22 12:24:07 server named[xxxx]: client ppp.pp.ppp.p#ttttt: query (cache) 'ns1.example3.com/A/IN' denied
Jul 22 12:24:07 server named[xxxx]: client ppp.pp.ppp.p#uuuuu: query (cache) 'ns2.example3.com/A/IN' denied
Jul 22 12:24:08 server named[xxxx]: client vv.vvv.vv.vvv#wwwww: query (cache) ‘www.example4.com/A/IN' denied
Jul 22 12:24:08 server named[xxxx]: client xx.xxx.xx.xx#yyyyy: query (cache) 'ns1.example3.com/A/IN' denied
Jul 22 12:24:10 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=blahblahblah SRC=xxx.xxx.xxx.xx DST=255.255.255.255 LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=xxxx PROTO=UDP SPT=17500 DPT=17500 LEN=111
Jul 22 12:24:10 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=blahblahblah SRC=xxx.xxx.xxx.xx DST=ZZZ.ZZZ.ZZZ.ZZZ LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=yyyy PROTO=UDP SPT=17500 DPT=17500 LEN=111
Jul 22 12:24:10 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=blahblahblah SRC=yyy.yyy.yyy.yyy DST=255.255.255.255 LEN=115 TOS=0x00 PREC=0x00 TTL=64 ID=z DF PROTO=UDP SPT=5678 DPT=5678 LEN=95
Qualquer ideia seria apreciada. Obrigado
Tags ddos