Unapproved AXFR?

Michel Marcon NOSPAM.michel.marcon at vnumail.com
Tue Dec 21 19:59:04 UTC 1999 

Hi.
It reminds me of and old post I made on this group: I did say that the
naming of machine shouldn't be as obvious as mail.alcatel.nat.org for
a mail-relay or dns1.cete.net. Somebody told me that it's easier to
administer, which is a good argument.

Long debates. Personnally, I do like machine named like castor.hp.net;
and purge the /etc/motd and the like which annouce proudly "IRIX 2.1
ready on SGI Origin 200"

But this is *not* the right place; maybe group.group.security ?? ;
Sorry
cmic

On 20 Dec 1999 17:33:27 -0800, Markus Stumpf
<maex-bind-users at Space.Net> wrote:

>On Mon, Dec 13, 1999 at 04:19:22PM +0100, Lars-Johan Liman wrote:
>> If there is anyone out there who can give me a good and sound
>> technical reason for blocking zone transfers in the general case,
>> please let me know. I struggle with the feeling that I want to limit
>> them for some fuzzy security related issue that I can't pin-point, but
>> so far my feelings have been unable to convince my logical CPU that
>> there is a strong technical reason to do so, so I keep them open - for
>> now.
>
>I am a bit behind with this list. I have roughly read the whole thread.
>One thing I didn't see mention is mscan attacks. Forgive me if this
>has been mention, though.
>
>There is a script out there that I see being pointed at our DNS server
>about 2-5 times every day. The script fetches NS records from all zones
>of e.g. the DE Domain and tries to AXFR all zones on the DNS servers
>found. I have sometimes up to 300 failed AXFRs from the same host.
>
>The use is obvious: they try to find hosts to break into.
>Most people name all their HTTPD hosts www. Some hosts have names like
>www<number> some have www-devel, devel-www, wwwdev, devwww and so on.
>Guessing all those names and querying each name takes long time and is
>a lot of work.
>AXFRing the whole zone and grep'ing for "www" is a LOT faster and easier
>and you get a lot of hosts that have a high probability to run a httpd.
>Take the list of those hosts and another script that tries to exploit
>more or less well known bugs on cgis on these servers (phf, test-cgi,
>Count.cgi, ...)
>
>Same is for ftp, mail, ...
>
>	\Maex
>
>-- 
>SpaceNet GmbH             |   http://www.Space.Net/   | Stress is when you wake
>Research & Development    | mailto:maex-sig at Space.Net | up screaming and you
>Joseph-Dollinger-Bogen 14 |  Tel: +49 (89) 32356-0    | realize you haven't
>D-80807 Muenchen          |  Fax: +49 (89) 32356-299  | fallen asleep yet.
>

--------------------------------
Michel Marcon
Sysadmin UNIX & Windows NT (I try)
NoSpam.cmic at cetu.equipement.gouv.fr

More information about the bind-users mailing list