On Tue, 9 Oct 2001, Dave Dittrich wrote: > On Mon, 8 Oct 2001, Ray wrote: > > > I have got the following message in syslog file every 20 minutes for many > > consecutive days. It appear to come from the same IP. Anybody have idea > > what he intend to do ? > > > > > > Oct 8 05:40:34 myserver /usr/sbin/named[2073]: client 128.177.209.26#53383: > > zone transfer denied > > <repeated 4 times> > > Could be this (pain in the #^$$) courtesy of Microsoft's default > configuration of Win2K and failure for it to stop trying after, oh > say, the first 100 failures!)... I think I read Ray's error message too quickly. I was refering to refused zone UPDATES, not zone TRANSFERS. Someone from Microsoft pointed out that DDNS queries don't use zone transfers, which made me go back to the reports I see (every day) of processed logs, which look like: Unapproved zone updates: 57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXX.XXX.128.in-addr.arpa 57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXXXXX.washington.edu [600 lines deleted] 115 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu 191 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu 560 occurrences of: denied update from [61.XXX.XXX.XX] for XXXX.org 596 occurrences of: denied update from [61.XXX.XX..X] for XXXX.org 60 occurrences of: denied update from [216.XXX.XX.XX] for XXXXXXX.washington.edu (I'd hate to see the full system log!) -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 12:27:33 PDT