unauthorized update attempts
acorns at joreybump.com
Sat Feb 2 04:42:24 UTC 2002
Danny Mayer wrote:
> At 07:27 PM 2/1/02, acorns wrote:
>>I'm using bind-9.1.3-4, which defaults to disallow dynamic updates, so I
>>realize I'm safe. Here is what is appearing in my log:
>>Jan 30 01:52:10 ns3 named: dynamic update failed: 'RRset exists
>>(value dependent)' prerequisite not satisfied (NXRRSET)
>>Jan 30 01:52:10 ns3 named: client 188.8.131.52#65078: update denied
>>I've set up ipchains to deny this entire C class, as I have received
>>other update attempts from this IP range in the past. It's not one of my
>>own hosts (the IP seems to be somewhere in Asia), which makes me wonder
>>what these attempts are trying to accomplish. On my old server (running
>>bind 8) the error messages were more verbose, so I could see which
>>domain was targeted. We regularly bounce mail for unknown users at this
>>domain, which suggests that someone might be trying to use it.
>>Should I assume this is a hijack attempt, or a misconfigured name
>>server? Can anyone recommend any additional precautions?
> Yes, contact Bill Gates and tell him to stop doing that! W2K tries to do this
> by default.
I caught that in previous threads, but in those cases the W2K machines
were on the same network, in the same domain. Why would a computer
outside of my domain try to update my zone, unless it was a hijack
attempt or a typo? It seems unlikely that this W2K bug would randomly
target my domain.
It does match the W2K pattern somewhat, however. There were only about
five attempts, then it stopped.
A few months ago, attempts to update the same domain came every five
minutes, and were still coming weeks later, when I flushed ipchains for
a moment. That was a different IP, so they may still be trying for all I
know. Here are the log entries (bind 8 at the time):
Oct 19 03:36:28 ns1 named: denied update from
[184.108.40.206].1056 for "MYDOMAIN.COM"
Oct 19 03:41:28 ns1 named: denied update from
[220.127.116.11].1033 for "MYDOMAIN.COM"
These came in December from the same network that I mentioned in my
Dec 10 11:57:20 ns1 named: denied update from [18.104.22.168].3170
Dec 10 11:57:22 ns1 named: denied update from [22.214.171.124].1561
I checked the whois at ARIN, and both networks are controlled by
companies in Hong Kong. I don't if I should try to contact someone, or
if it's even worth the bother. Bill pretended not to know anything about
More information about the bind-users