DoS?

Drew Weaver drew.weaver at thenap.com
Thu Oct 24 13:49:04 UTC 2002


Ah you're getting those too? I got a bunch of that from some Fujitsu DNS
servers ... Tuesday night.

-Drew


-----Original Message-----
From: Sam Pointer [mailto:sam.pointer at hpdsoftware.com] 
Sent: Thursday, October 24, 2002 9:27 AM
To: comp-protocols-dns-bind at isc.org
Subject: DoS?


I am getting bombarded with entries in my query and syslog files. Here is a
small subset:
 
BIND query.log:
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.65#2761: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.65#2762: query: ns1.hpdsc.com IN A client 200.76.208.65#22722:
query: 1254130450450-3 IN TKEY client 200.76.208.65#22723: query:
1254130450450-2 IN TKEY client 200.76.208.65#22724: query: 1254130450450-2
IN TKEY client 200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com
IN SRV client 200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SRV client
200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV client
200.76.208.70#54177: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com IN
SRV client 200.76.208.65#22728: query: 1305670058002-3 IN TKEY client
200.76.208.65#22729: query: 1305670058002-2 IN TKEY client
200.76.208.65#22730: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query: hpdsc.com IN SOA client 200.76.208.65#22731:
query: 1305670058002-3 IN TKEY client 200.76.208.65#22732: query:
1305670058002-2 IN TKEY client 200.76.208.65#22733: query: 1305670058002-2
IN TKEY client 200.76.208.70#54177: query: _ldap._tcp.hpdsc.com IN SOA
client 200.76.208.65#22734: query: 1305670058002-3 IN TKEY client
200.76.208.65#22735: query: 1305670058002-2 IN TKEY client
200.76.208.65#22736: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#22737: query: 1305670058002-3 IN TKEY client
200.76.208.65#22738: query: 1305670058002-2 IN TKEY client
200.76.208.65#22739: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN SOA client
200.76.208.65#22740: query: 1305670058002-3 IN TKEY client
200.76.208.65#22741: query: 1305670058002-2 IN TKEY client
200.76.208.65#22742: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query: _ldap._tcp.gc._msdcs.hpdsc.com IN SOA client
200.76.208.65#22743: query: 1305670058002-3 IN TKEY client
200.76.208.65#22744: query: 1305670058002-2 IN TKEY client
200.76.208.65#22745: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com IN SOA client
200.76.208.65#22746: query: 1305670058002-3 IN TKEY client
200.76.208.65#22747: query: 1305670058002-2 IN TKEY client
200.76.208.65#22748: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com IN
SOA client 200.76.208.65#22749: query: 1305670058002-3 IN TKEY client
200.76.208.65#22750: query: 1305670058002-2 IN TKEY client
200.76.208.65#22751: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA ... client
200.76.208.70#54177: query:
_kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#9051: query: _gc._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _gc._tcp.hpdsc.com IN SOA client
200.76.208.65#9051: query: _gc._tcp.Default-First-Site-Name._sites.hpdsc.com
IN SOA client 200.76.208.70#54177: query:
_gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#9051: query: _kerberos._udp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kerberos._udp.hpdsc.com IN SOA client
200.76.208.65#9051: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.65#9051: query: _kpasswd._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kpasswd._tcp.hpdsc.com IN SOA client
200.76.208.65#9051: query: _kpasswd._udp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kpasswd._udp.hpdsc.com IN SOA client
200.76.208.65#9132: query: hpdsc.com IN SOA client 200.76.208.70#54177:
query: hpdsc.com IN SOA client 200.76.208.65#9142: query: hpdsc.com IN SOA
client 200.76.208.70#54177: query: hpdsc.com IN SOA client
195.167.246.4#1027: query: hpdsc.com IN SOA client 200.76.208.65#9158:
query: _ldap._tcp.hpdsc.com IN SOA client 200.76.208.70#54177: query:
_ldap._tcp.hpdsc.com IN SOA client 200.76.208.65#9172: query:
_ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#9183: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN SOA client
200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN SOA client
200.76.208.65#9202: query: _ldap._tcp.gc._msdcs.hpdsc.com IN SOA client
200.76.208.70#54177: query: _ldap._tcp.gc._msdcs.hpdsc.com IN SOA client
200.76.208.65#9202: query:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com IN SOA client
200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com IN SOA client
200.76.208.65#9218: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com IN
SOA client 200.76.208.70#54177: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com IN
SOA client 200.76.208.65#9226: query: gc._msdcs.hpdsc.com IN SOA client
200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA client
200.76.208.65#9226: query: gc._msdcs.hpdsc.com IN SOA client
200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA client
200.76.208.65#9241: query:
48e4f905-3da4-4346-abd4-391027e39ace._msdcs.hpdsc.com IN SOA client
200.76.208.65#9251: query: _kerberos._tcp.dc._msdcs.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kerberos._tcp.dc._msdcs.hpdsc.com IN SOA client
200.76.208.65#9259: query:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9259: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9259: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SOA client
200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SOA client
200.76.208.65#9259: query: _kerberos._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kerberos._tcp.hpdsc.com IN SOA client
200.76.208.65#9259: query:
_kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.70#54177: query:
_kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#9259: query: _gc._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _gc._tcp.hpdsc.com IN SOA client
200.76.208.65#9259: query: _gc._tcp.Default-First-Site-Name._sites.hpdsc.com
IN SOA client 200.76.208.70#54177: query:
_gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#9259: query: _kerberos._udp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kerberos._udp.hpdsc.com IN SOA client
200.76.208.65#9259: query: _kpasswd._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kpasswd._tcp.hpdsc.com IN SOA client
200.76.208.65#9259: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.65#9259: query: _kpasswd._udp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kpasswd._udp.hpdsc.com IN SOA client
200.76.208.65#9343: query: hpdsc.com IN SOA client 200.76.208.70#54177:
query: hpdsc.com IN SOA client 200.76.208.65#9351: query: hpdsc.com IN SOA
client 200.76.208.70#54177: query: hpdsc.com IN SOA client
200.76.208.65#9359: query: _ldap._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _ldap._tcp.hpdsc.com IN SOA client
207.248.224.71#16916: query: _ldap._tcp.hpdsc.com IN SOA ... client
200.76.208.65#6608: query: NS4.hpdsc.com IN A client 200.76.208.65#6608:
query: ns2.hpdsc.com IN A client 200.76.208.65#6608: query: ns3.hpdsc.com IN
A
 
ns1.hpdsc.com syslog:
Oct 24 14:00:32 ns1 named[799]: client 200.76.208.65#9261: update denied Oct
24 14:00:47 ns1 last message repeated 2 times Oct 24 14:01:24 ns1
named[799]: client 200.76.208.65#9268: update denied Oct 24 14:00:47 ns1
last message repeated 2 times Oct 24 14:01:24 ns1 named[799]: client
200.76.208.65#9268: update denied Oct 24 14:01:39 ns1 last message repeated
2 times Oct 24 14:02:16 ns1 named[799]: client 200.76.208.65#9276: update
denied Oct 24 14:01:39 ns1 last message repeated 2 times Oct 24 14:02:16 ns1
named[799]: client 200.76.208.65#9276: update denied Oct 24 14:02:31 ns1
last message repeated 2 times Oct 24 14:03:08 ns1 named[799]: client
200.76.208.65#9283: update denied Oct 24 14:02:31 ns1 last message repeated
2 times Oct 24 14:03:08 ns1 named[799]: client 200.76.208.65#9283: update
denied Oct 24 14:03:23 ns1 last message repeated 2 times Oct 24 14:04:01 ns1
named[799]: client 200.76.208.65#9291: update denied Oct 24 14:03:23 ns1
last message repeated 2 times Oct 24 14:04:01 ns1 named[799]: client
200.76.208.65#9291: update denied Oct 24 14:04:16 ns1 last message repeated
2 times Oct 24 14:04:53 ns1 named[799]: client 200.76.208.65#9298: update
denied Oct 24 14:04:16 ns1 last message repeated 2 times Oct 24 14:04:53 ns1
named[799]: client 200.76.208.65#9298: update denied Oct 24 14:05:08 ns1
last message repeated 2 times Oct 24 14:05:45 ns1 named[799]: client
200.76.208.65#9305: update denied Oct 24 14:05:08 ns1 last message repeated
2 times Oct 24 14:05:45 ns1 named[799]: client 200.76.208.65#9305: update
denied Oct 24 14:06:00 ns1 last message repeated 2 times Oct 24 14:06:38 ns1
named[799]: client 200.76.208.65#9312: update denied Oct 24 14:06:00 ns1
last message repeated 2 times Oct 24 14:06:38 ns1 named[799]: client
200.76.208.65#9312: update denied Oct 24 14:06:53 ns1 last message repeated
2 times Oct 24 14:07:30 ns1 named[799]: client 200.76.208.65#9320: update
denied Oct 24 14:06:53 ns1 last message repeated 2 times Oct 24 14:07:30 ns1
named[799]: client 200.76.208.65#9320: update denied Oct 24 14:07:35 ns1
named[799]: client 200.76.208.65#9320: update denied Oct 24 14:07:39 ns1
named[799]: dynamic update failed: 'RRset exists (value dependent)'
prerequisite not satisfied (NXRRSET) Oct 24 14:07:44 ns1 named[799]: dynamic
update failed: 'RRset exists (value dependent)' prerequisite not satisfied
(NXRRSET) Oct 24 14:07:45 ns1 named[799]: client 200.76.208.65#9320: update
denied Oct 24 14:07:54 ns1 named[799]: dynamic update failed: 'RRset exists
(value dependent)' prerequisite not satisfied (NXRRSET) Oct 24 14:08:22 ns1
named[799]: client 200.76.208.65#9333: update denied Oct 24 14:07:45 ns1
last message repeated 2 times Oct 24 14:08:22 ns1 named[799]: client
200.76.208.65#9333: update denied Oct 24 14:08:37 ns1 last message repeated
2 times

These two machines 200.76.208.65\70 do not belong to me and are not
affiliated with me in any way. I have black-holed the IP addresses but still
it persists. Any ideas?
 
Either somebody is pretending to have a Win2K machine on my domain, which is
trying to add it's Win2K records to my domain, or else they are malicious
bombarding me.
 
Any help would be greatly appreciated.

Sam Pointer [Network, Security & UNIX]
_________________________________________
HPD Software Ltd. (www.hpdsoftware.com) sam.pointer at hpdsoftware.com 
 


This email and any attachments are strictly confidential and are intended
solely for the addressee. If you are not the intended recipient you must not
disclose, forward, copy or take any action in reliance on this message or
its attachments. If you have received this email in error please notify the
sender as soon as possible and delete it from your computer systems. Any
views or opinions presented are solely those of the author and do not
necessarily reflect those of HPD Software Limited or its affiliates.

 At present the integrity of email across the internet cannot be guaranteed
and messages sent via this medium are potentially at risk.  All liability is
excluded to the extent permitted by law for any claims arising as a re- sult
of the use of this medium to transmit information by or to 
HPD Software Limited or its affiliates.






More information about the bind-users mailing list