Re: repeated zone transfer denied

From: Dave Dittrich (dittrich@cac.washington.edu)
Date: Tue Oct 09 2001 - 00:37:06 PDT

Next message: Christian Sarmoria: "Re: Port 17889 - new attack?"

Previous message: Miller, Toby: "RE: new pop3 exploit out?"
In reply to: Ray: "repeated zone transfer denied"
Next in thread: Dave Dittrich: "Re: repeated zone transfer denied"
Next in thread: Alvaro Soto: "RE: new pop3 exploit out?"
Reply: Dave Dittrich: "Re: repeated zone transfer denied"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 8 Oct 2001, Ray wrote:

> I have got the following message in syslog file every 20 minutes for many
> consecutive days. It appear to come from the same IP.  Anybody have idea
> what he intend to do ?
>
>
> Oct  8 05:40:34 myserver /usr/sbin/named[2073]: client 128.177.209.26#53383:
> zone transfer denied
> <repeated 4 times>

Could be this (pain in the #^$$) courtesy of Microsoft's default
configuration of Win2K and failure for it to stop trying after, oh
say, the first 100 failures!)

This is part of the boilerplate I occasionally send out to dozens
of network contacts/admins...

   =====================================================================
    This is a generic message intended for the owners/administrators of
    Windows 2000 systems ...
                  ... attempting unauthorized DNS zone updates as
    a result of unsupported Windows 2000 Dynamic DNS configurations.

    ...
   =====================================================================

One or more of your systems ...    most likely Windows 2000 systems
with default Dynamic DNS configurations, are making repeated attempts
to update DNS mappings on the UW central DNS servers.  We do not
support this, so these show up in our reports as refused attempts.

We are sending this message to identify and assist those
people who have mis-configured Windows 2000 systems.

If you are ... you should have
already received instructions on how to turn off Dynamic DNS.
If not, the following references should assist you:

  How to Enable/Disable Windows 2000 Dynamic DNS Registrations
  http://support.microsoft.com/support/kb/articles/Q246/8/04.ASP

  How to Disable Windows 2000 Dynamic Domain Name System Registrations
  with Group Policy
  http://support.microsoft.com/support/kb/articles/Q294/8/32.ASP

If you have any questions about turning off Dynamic DNS updates,
please contact ... and request assistance.

 ...

This problem has lasted longer than Code Red, and is just as hard to
deal with in trying to get in touch with admins and get them to fix
it.

(Then again, could be someone who just downloaded a bind sploit. ;)

--
Dave Dittrich                           Computing & Communications
dittrich@cac.washington.edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Christian Sarmoria: "Re: Port 17889 - new attack?"
Previous message: Miller, Toby: "RE: new pop3 exploit out?"
In reply to: Ray: "repeated zone transfer denied"
Next in thread: Dave Dittrich: "Re: repeated zone transfer denied"
Next in thread: Alvaro Soto: "RE: new pop3 exploit out?"
Reply: Dave Dittrich: "Re: repeated zone transfer denied"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 08:33:00 PDT