DNS Exploit Attempts??

Jeff Lightner jlightner at water.com
Wed Jul 30 17:08:42 UTC 2008 

I was on vacation last week but saw the thread then about these failed
queries.   

Someone had apparently posted on a Fedora forum that seeing the high
level of query cache denied was a sign of people trying the exploit but
someone else here said it wasn't a symptom of the exploit.

However, on returning to my office I too saw a dramatic increase in the
number of these.   If they aren't for the exploit does someone know why
they increased?

P.S.  I'm already patched for the exploit.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Emery Rudolph
Sent: Wednesday, July 30, 2008 12:59 PM
To: Dawn Connelly
Cc: comp-protocols-dns-bind at isc.org
Subject: Re: DNS Exploit Attempts??

Thanks Dawn,
I must have misunderstood the blackhole directive. I thought it was
strictly
for blocking nameserver - nameserver queries as opposed to a client that
points directly at you by making you their primary nameservice.

If this problem flares up again, I will definitely try the option. :-)



On Wed, Jul 30, 2008 at 12:20 PM, Dawn Connelly
<dawn.connelly at gmail.com>wrote:

> Hehehe, that address is coming from Russia so you can pretty much
assume
> it's badness.
>
> If you don't want to wait for your firewall team for future events
like
> this, you can always blacklist them too.
>
> blackhole { address_match_list };
>
>
> On Wed, Jul 30, 2008 at 8:55 AM, Terpasaur
<emery.rudolph at gmail.com>wrote:
>
>> Good morning.
>>
>> I upgraded our last resolver this morning to the new P1 code and
>> turned on "rndc querylog". I am seeing a steady stream of these
>> messages with the same IP at a rate of about 100/min.
>>
>> Jul 30 11:50:39 ns2 named[2780]: [ID 873579 daemon.info] security:
>> info: client 194.85.88.199#22941: query (cache) './ANY/IN' denied
>>
>> Is this an example of the cache exploit attempt?
>>
>> I've already spoken with our INET team about blocking the IP at the
>> firewall a couple of days to see if the automated mechanism stops
>> because of denied access, or if it continues regardless.
>>
>> Thanks,
>>
>> Emery Rudolph
>> Sr. Systems Analyst
>> Office of Information Technology
>> University of Maryland University College
>> Email: Erudolph at umuc.edu
>>
>>
>>
>>
>
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list