Re: repeated zone transfer denied

From: Dave Dittrich (dittrichat_private)
Date: Tue Oct 09 2001 - 11:54:19 PDT

Next message: Dietmar Braun: "Port 56035?"

Previous message: Christian Sarmoria: "Re: Port 17889 - new attack?"
In reply to: Dave Dittrich: "Re: repeated zone transfer denied"
Next in thread: Alvaro Soto: "RE: new pop3 exploit out?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 9 Oct 2001, Dave Dittrich wrote:

> On Mon, 8 Oct 2001, Ray wrote:
>
> > I have got the following message in syslog file every 20 minutes for many
> > consecutive days. It appear to come from the same IP.  Anybody have idea
> > what he intend to do ?
> >
> >
> > Oct  8 05:40:34 myserver /usr/sbin/named[2073]: client 128.177.209.26#53383:
> > zone transfer denied
> > <repeated 4 times>
>
> Could be this (pain in the #^$$) courtesy of Microsoft's default
> configuration of Win2K and failure for it to stop trying after, oh
> say, the first 100 failures!)...

I think I read Ray's error message too quickly.  I was refering to
refused zone UPDATES, not zone TRANSFERS.

Someone from Microsoft pointed out that DDNS queries don't use zone
transfers, which made me go back to the reports I see (every day)
of processed logs, which look like:


Unapproved zone updates:

57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXX.XXX.128.in-addr.arpa
57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXXXXX.washington.edu
                         [600 lines deleted]

115 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu
191 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu
560 occurrences of: denied update from [61.XXX.XXX.XX] for XXXX.org
596 occurrences of: denied update from [61.XXX.XX..X] for XXXX.org
60 occurrences of: denied update from [216.XXX.XX.XX] for XXXXXXX.washington.edu

(I'd hate to see the full system log!)

--
Dave Dittrich                           Computing & Communications
dittrichat_private             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


--
Dave Dittrich                           Computing & Communications
dittrichat_private             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dietmar Braun: "Port 56035?"
Previous message: Christian Sarmoria: "Re: Port 17889 - new attack?"
In reply to: Dave Dittrich: "Re: repeated zone transfer denied"
Next in thread: Alvaro Soto: "RE: new pop3 exploit out?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 12:27:33 PDT