DoS?

Cricket Liu cricket at menandmice.com
Thu Oct 24 13:51:17 UTC 2002


Sam Pointer wrote:
> I am getting bombarded with entries in my query and syslog files.
> Here is a small subset:
> 
> BIND query.log:
> client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN
> SRV client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com
> IN SRV client 200.76.208.70#54177: query:
> _ldap._tcp.pdc._msdcs.hpdsc.com IN SRV client 200.76.208.70#54177:
> query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV client
> 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
> client 200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA client
> 200.76.208.65#2761: query: PRDCMX01.hpdsc.com IN SOA client
> 200.76.208.65#2762: query: ns1.hpdsc.com IN A client
> 200.76.208.65#22722: query: 1254130450450-3 IN TKEY client
> 200.76.208.65#22723: query: 1254130450450-2 IN TKEY client
> 200.76.208.65#22724: query: 1254130450450-2 IN TKEY client
> 200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN SRV
> client 200.76.208.70#54177: query:
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SRV
> client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN
> SRV client 200.76.208.70#54177: query:
> _ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com
> IN SRV client 200.76.208.65#22728: query: 1305670058002-3 IN TKEY
> client 200.76.208.65#22729: query: 1305670058002-2 IN TKEY
> client 200.76.208.65#22730: query: 1305670058002-2 IN TKEY
> client 200.76.208.70#54177: query: hpdsc.com IN SOA
> client 200.76.208.65#22731: query: 1305670058002-3 IN TKEY
> client 200.76.208.65#22732: query: 1305670058002-2 IN TKEY
> client 200.76.208.65#22733: query: 1305670058002-2 IN TKEY
> client 200.76.208.70#54177: query: _ldap._tcp.hpdsc.com IN SOA
> client 200.76.208.65#22734: query: 1305670058002-3 IN TKEY
> client 200.76.208.65#22735: query: 1305670058002-2 IN TKEY
> client 200.76.208.65#22736: query: 1305670058002-2 IN TKEY
> client 200.76.208.70#54177: query:
> _ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
> client 200.76.208.65#22737: query: 1305670058002-3 IN TKEY
> client 200.76.208.65#22738: query: 1305670058002-2 IN TKEY
> client 200.76.208.65#22739: query: 1305670058002-2 IN TKEY
> client 200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN
> SOA client 200.76.208.65#22740: query: 1305670058002-3 IN TKEY
> client 200.76.208.65#22741: query: 1305670058002-2 IN TKEY
> client 200.76.208.65#22742: query: 1305670058002-2 IN TKEY
> client 200.76.208.70#54177: query: _ldap._tcp.gc._msdcs.hpdsc.com IN
> SOA client 200.76.208.65#22743: query: 1305670058002-3 IN TKEY
> client 200.76.208.65#22744: query: 1305670058002-2 IN TKEY
> client 200.76.208.65#22745: query: 1305670058002-2 IN TKEY
> client 200.76.208.70#54177: query:
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com IN SOA
> client 200.76.208.65#22746: query: 1305670058002-3 IN TKEY
> client 200.76.208.65#22747: query: 1305670058002-2 IN TKEY
> client 200.76.208.65#22748: query: 1305670058002-2 IN TKEY
> client 200.76.208.70#54177: query:
> _ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com
> IN SOA
> client 200.76.208.65#22749: query: 1305670058002-3 IN TKEY
> client 200.76.208.65#22750: query: 1305670058002-2 IN TKEY
> client 200.76.208.65#22751: query: 1305670058002-2 IN TKEY
> client 200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA
> ...
> client 200.76.208.70#54177: query:
> _kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
> client 200.76.208.65#9051: query: _gc._tcp.hpdsc.com IN SOA
> client 200.76.208.70#54177: query: _gc._tcp.hpdsc.com IN SOA
> client 200.76.208.65#9051: query:
> _gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
> client 200.76.208.70#54177: query:
> _gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
> client 200.76.208.65#9051: query: _kerberos._udp.hpdsc.com IN SOA
> client 200.76.208.70#54177: query: _kerberos._udp.hpdsc.com IN SOA
> client 200.76.208.65#9051: query: PRDCMX01.hpdsc.com IN SOA
> client 200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA
> client 200.76.208.65#9051: query: _kpasswd._tcp.hpdsc.com IN SOA
> client 200.76.208.70#54177: query: _kpasswd._tcp.hpdsc.com IN SOA
> client 200.76.208.65#9051: query: _kpasswd._udp.hpdsc.com IN SOA
> client 200.76.208.70#54177: query: _kpasswd._udp.hpdsc.com IN SOA
> client 200.76.208.65#9132: query: hpdsc.com IN SOA
> client 200.76.208.70#54177: query: hpdsc.com IN SOA
> client 200.76.208.65#9142: query: hpdsc.com IN SOA
> client 200.76.208.70#54177: query: hpdsc.com IN SOA
> client 195.167.246.4#1027: query: hpdsc.com IN SOA
> client 200.76.208.65#9158: query: _ldap._tcp.hpdsc.com IN SOA
> client 200.76.208.70#54177: query: _ldap._tcp.hpdsc.com IN SOA
> client 200.76.208.65#9172: query:
> _ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
> client 200.76.208.70#54177: query:
> _ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
> client 200.76.208.65#9183: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN
> SOA client 200.76.208.70#54177: query:
> _ldap._tcp.pdc._msdcs.hpdsc.com IN SOA client 200.76.208.65#9202:
> query: _ldap._tcp.gc._msdcs.hpdsc.com IN SOA client
> 200.76.208.70#54177: query: _ldap._tcp.gc._msdcs.hpdsc.com IN SOA
> client 200.76.208.65#9202: query:
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com IN SOA
> client 200.76.208.70#54177: query:
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com IN SOA
> client 200.76.208.65#9218: query:
> _ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com
> IN SOA client 200.76.208.70#54177: query:
> _ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com
> IN SOA
> client 200.76.208.65#9226: query: gc._msdcs.hpdsc.com IN SOA
> client 200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA
> client 200.76.208.65#9226: query: gc._msdcs.hpdsc.com IN SOA
> client 200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA
> client 200.76.208.65#9241: query:
> 48e4f905-3da4-4346-abd4-391027e39ace._msdcs.hpdsc.com IN SOA
> client 200.76.208.65#9251: query: _kerberos._tcp.dc._msdcs.hpdsc.com
> IN SOA client 200.76.208.70#54177: query:
> _kerberos._tcp.dc._msdcs.hpdsc.com IN SOA client 200.76.208.65#9259:
> query:
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN
> SOA client 200.76.208.70#54177: query:
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN
> SOA client 200.76.208.65#9259: query: _ldap._tcp.dc._msdcs.hpdsc.com
> IN SOA client 200.76.208.70#54177: query:
> _ldap._tcp.dc._msdcs.hpdsc.com IN SOA client 200.76.208.65#9259:
> query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com
> IN SOA client 200.76.208.70#54177: query:
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SOA
> client 200.76.208.65#9259: query: _kerberos._tcp.hpdsc.com IN SOA
> client 200.76.208.70#54177: query: _kerberos._tcp.hpdsc.com IN SOA
> client 200.76.208.65#9259: query:
> _kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
> 200.76.208.70#54177: query:
> _kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
> 200.76.208.65#9259: query: _gc._tcp.hpdsc.com IN SOA client
> 200.76.208.70#54177: query: _gc._tcp.hpdsc.com IN SOA client
> 200.76.208.65#9259: query:
> _gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
> 200.76.208.70#54177: query:
> _gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
> 200.76.208.65#9259: query: _kerberos._udp.hpdsc.com IN SOA client
> 200.76.208.70#54177: query: _kerberos._udp.hpdsc.com IN SOA client
> 200.76.208.65#9259: query: _kpasswd._tcp.hpdsc.com IN SOA client
> 200.76.208.70#54177: query: _kpasswd._tcp.hpdsc.com IN SOA client
> 200.76.208.65#9259: query: PRDCMX01.hpdsc.com IN SOA client
> 200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA client
> 200.76.208.65#9259: query: _kpasswd._udp.hpdsc.com IN SOA client
> 200.76.208.70#54177: query: _kpasswd._udp.hpdsc.com IN SOA client
> 200.76.208.65#9343: query: hpdsc.com IN SOA client
> 200.76.208.70#54177: query: hpdsc.com IN SOA client
> 200.76.208.65#9351: query: hpdsc.com IN SOA client
> 200.76.208.70#54177: query: hpdsc.com IN SOA client
> 200.76.208.65#9359: query: _ldap._tcp.hpdsc.com IN SOA client
> 200.76.208.70#54177: query: _ldap._tcp.hpdsc.com IN SOA client
> 207.248.224.71#16916: query: _ldap._tcp.hpdsc.com IN SOA ...
> client 200.76.208.65#6608: query: NS4.hpdsc.com IN A
> client 200.76.208.65#6608: query: ns2.hpdsc.com IN A
> client 200.76.208.65#6608: query: ns3.hpdsc.com IN A
> 
> ns1.hpdsc.com syslog:
> Oct 24 14:00:32 ns1 named[799]: client 200.76.208.65#9261: update
> denied Oct 24 14:00:47 ns1 last message repeated 2 times
> Oct 24 14:01:24 ns1 named[799]: client 200.76.208.65#9268: update
> denied Oct 24 14:00:47 ns1 last message repeated 2 times
> Oct 24 14:01:24 ns1 named[799]: client 200.76.208.65#9268: update
> denied Oct 24 14:01:39 ns1 last message repeated 2 times
> Oct 24 14:02:16 ns1 named[799]: client 200.76.208.65#9276: update
> denied Oct 24 14:01:39 ns1 last message repeated 2 times
> Oct 24 14:02:16 ns1 named[799]: client 200.76.208.65#9276: update
> denied Oct 24 14:02:31 ns1 last message repeated 2 times
> Oct 24 14:03:08 ns1 named[799]: client 200.76.208.65#9283: update
> denied Oct 24 14:02:31 ns1 last message repeated 2 times
> Oct 24 14:03:08 ns1 named[799]: client 200.76.208.65#9283: update
> denied Oct 24 14:03:23 ns1 last message repeated 2 times
> Oct 24 14:04:01 ns1 named[799]: client 200.76.208.65#9291: update
> denied Oct 24 14:03:23 ns1 last message repeated 2 times
> Oct 24 14:04:01 ns1 named[799]: client 200.76.208.65#9291: update
> denied Oct 24 14:04:16 ns1 last message repeated 2 times
> Oct 24 14:04:53 ns1 named[799]: client 200.76.208.65#9298: update
> denied Oct 24 14:04:16 ns1 last message repeated 2 times
> Oct 24 14:04:53 ns1 named[799]: client 200.76.208.65#9298: update
> denied Oct 24 14:05:08 ns1 last message repeated 2 times
> Oct 24 14:05:45 ns1 named[799]: client 200.76.208.65#9305: update
> denied Oct 24 14:05:08 ns1 last message repeated 2 times
> Oct 24 14:05:45 ns1 named[799]: client 200.76.208.65#9305: update
> denied Oct 24 14:06:00 ns1 last message repeated 2 times
> Oct 24 14:06:38 ns1 named[799]: client 200.76.208.65#9312: update
> denied Oct 24 14:06:00 ns1 last message repeated 2 times
> Oct 24 14:06:38 ns1 named[799]: client 200.76.208.65#9312: update
> denied Oct 24 14:06:53 ns1 last message repeated 2 times
> Oct 24 14:07:30 ns1 named[799]: client 200.76.208.65#9320: update
> denied Oct 24 14:06:53 ns1 last message repeated 2 times
> Oct 24 14:07:30 ns1 named[799]: client 200.76.208.65#9320: update
> denied Oct 24 14:07:35 ns1 named[799]: client 200.76.208.65#9320:
> update denied Oct 24 14:07:39 ns1 named[799]: dynamic update failed:
> 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
> Oct 24 14:07:44 ns1 named[799]: dynamic update failed: 'RRset exists
> (value dependent)' prerequisite not satisfied (NXRRSET)
> Oct 24 14:07:45 ns1 named[799]: client 200.76.208.65#9320: update
> denied Oct 24 14:07:54 ns1 named[799]: dynamic update failed: 'RRset
> exists (value dependent)' prerequisite not satisfied (NXRRSET)
> Oct 24 14:08:22 ns1 named[799]: client 200.76.208.65#9333: update
> denied Oct 24 14:07:45 ns1 last message repeated 2 times
> Oct 24 14:08:22 ns1 named[799]: client 200.76.208.65#9333: update
> denied Oct 24 14:08:37 ns1 last message repeated 2 times
> 
> These two machines 200.76.208.65\70 do not belong to me and are not
> affiliated with me in any way. I have black-holed the IP addresses
> but still it persists. Any ideas?
> 
> Either somebody is pretending to have a Win2K machine on my domain,
> which is trying to add it's Win2K records to my domain, or else they
> are malicious bombarding me.

Apparently they're two of HP Mexico's hosts, running Windows 2000
or XP, that think they're part of an AD domain called hpdsc.com.
Consequently, they're trying to look up SRV records (to find the
domain's domain controller) and TKEY records (to negotiate a key to
use in secure dynamic updates), and then they're sending dynamic
updates (to register their name-to-address and address-to-name
mappings).

cricket

Men & Mice
DNS Software, Training and Consulting
www.menandmice.com

The DNS and BIND Cookbook, available now!
http://www.oreilly.com/catalog/dnsbindckbk/


More information about the bind-users mailing list