Is Muddleworks scanning your DNS too?

Danny Mayer mayer at gis.net
Thu Nov 28 00:58:31 UTC 2002


At 01:39 PM 11/27/02, David Miller wrote:

>On Wed, 27 Nov 2002, Pete Ehlke wrote:
>
>Hi Pete;
>
>Thanks for CC'ing me and giving me a chance to reply.  I don't regularly
>read bind-users.
>
>
> > On Wed, Nov 27, 2002 at 06:43:01AM -0800, Baby Peanut wrote:
> > >
> > > We have a few Internet nameservers on different networks hosting
> > > different zones.  We get scanned by 207.5.180.138.  It walks through
> > > PTR queries incrementing the last octet from 0 to 255 regardless of
> > > the rest of the address.
> > >
> > > Does it happen to your servers too?
> > >
> > > Who is Muddleworks and what do they do?
> > >
> > > $ whois -a 207.5.180.138
> > > Great Works Internet GWI-BLK-1 (NET-207-5-128-0-1)
> > >                                   207.5.128.0 - 207.5.255.255
> > > Muddleworks GWI-MUDDLEWORKS-BLK-1 (NET-207-5-180-0-1)
> > >                                   207.5.180.0 - 207.5.180.255
> > >
> > I've seen this, too. They seem to be building some sort of local
> > database of the in-addr.arpa tree, for what purpose I'm not sure.
>
>
>This is exactly what we're doing.  The purpose is a reverse dns
>accelerator for high end web sites who want to resolve log files in
>real-time, or resolve log files that are simply too large to handle
>now.  An additional use is customization of the web site in real-time
>based on the resolved hostname.

This seems to be based on a number of erroneous assumptions:
1) No DDNS so the PTR names are not changing
2) Different users won't use the same IP addresses

Both of these are false. Dialups, for example, if they do bother to update
the PTR records end up putting in something like: dialup-203-4-5-6.place.foo.
which tells you nothing about the users and sometimes not even the ISP
is right. The address gets reused by the next client coming in for something
totally different. So what do you end up with for things like correlating 
access
to your Web pages. Most companies now have firewalls, so you have users
coming through proxies, so that the address you see is multiple users coming
in at different times and sometimes simultaneously.

So what's really being accomplished here?

>There are no security issues here; Muddleworks (MiningWorks, actually) is
>only interested in a copy of the published DNS data.
>
>We take great pains to make the scanning as unobtrusive as possible so
>that no nameserver or network admins would perceive themselves to be under
>any sort of attack, DoS or otherwise.  We also perform 99.9% of the
>scanning during the wee hours, when the network and nameservers are as
>idle as possible.
>
> > I'm Cc-ing muddleworks on this message. Folks, walking the in-addr.arpa
> > tree like this can be seen as hostile. An explanation posted to
> > bind-users at isc.org and a (conspicuously linked) page on your web server
> > would probably be a very good PR move...
>
>
>Well, here's a notice.  A web site is being currently being developed, and
>a pointer to a page explaining what's going on will be available soon
>through a DNS lookup. MiningWorks is now through the development stage and
>beginning the commercialization stage, and additional things will happen
>soon to help dealing with DNS administrators.   Specifically:
>
>o A DNS record of some type will be checked to see if scanning is
>   not allowed in this space.  This will be the equivilent of a
>   "robots.txt" file that web crawlers look for.
>
>o Concise explanations will be posted on the web site detailing
>   what is going on, why, and how to create the above record.
>
>o A web form will allow admins to specify that zone transfers will
>   be allowed from specified servers.
>
>Yes, it would have been nice to have all these in place when the first
>scanning started.  The company, however, was concerned with laying that
>many cards on the table before we were ready to deliver the product.

You have to be aware however of how quickly your activities are likely
to get noticed. Notices and Web pages could and should have been made
ready before you got started so that any inquiries could have been
answered immediately. I understand the business issues, but you are
doing it in a public space and that needs to be taken into account.

Danny



More information about the bind-users mailing list