Unapproved AXFR?
Markus Stumpf
maex-bind-users at Space.Net
Tue Dec 21 01:25:12 UTC 1999
On Mon, Dec 13, 1999 at 04:19:22PM +0100, Lars-Johan Liman wrote:
> If there is anyone out there who can give me a good and sound
> technical reason for blocking zone transfers in the general case,
> please let me know. I struggle with the feeling that I want to limit
> them for some fuzzy security related issue that I can't pin-point, but
> so far my feelings have been unable to convince my logical CPU that
> there is a strong technical reason to do so, so I keep them open - for
> now.
I am a bit behind with this list. I have roughly read the whole thread.
One thing I didn't see mention is mscan attacks. Forgive me if this
has been mention, though.
There is a script out there that I see being pointed at our DNS server
about 2-5 times every day. The script fetches NS records from all zones
of e.g. the DE Domain and tries to AXFR all zones on the DNS servers
found. I have sometimes up to 300 failed AXFRs from the same host.
The use is obvious: they try to find hosts to break into.
Most people name all their HTTPD hosts www. Some hosts have names like
www<number> some have www-devel, devel-www, wwwdev, devwww and so on.
Guessing all those names and querying each name takes long time and is
a lot of work.
AXFRing the whole zone and grep'ing for "www" is a LOT faster and easier
and you get a lot of hosts that have a high probability to run a httpd.
Take the list of those hosts and another script that tries to exploit
more or less well known bugs on cgis on these servers (phf, test-cgi,
Count.cgi, ...)
Same is for ftp, mail, ...
\Maex
--
SpaceNet GmbH | http://www.Space.Net/ | Stress is when you wake
Research & Development | mailto:maex-sig at Space.Net | up screaming and you
Joseph-Dollinger-Bogen 14 | Tel: +49 (89) 32356-0 | realize you haven't
D-80807 Muenchen | Fax: +49 (89) 32356-299 | fallen asleep yet.
More information about the bind-users
mailing list