On Thu, Jan 02, 2003 at 07:53:20PM -0500, Rob Payne wrote: > On Thu, Jan 02, 2003 at 03:16:43PM -0500, Kevin Darcy wrote: > > > My Bind 9.2.1 servers have started sending me the above message via > > > LogWatch. I won't be back in the office until the 6th, so I can't check the > > > log files themselves. They've been up for several months but this just > > > started a few days ago. Can anyone shed any light on what this might mean? > > > Well, basically it means what it says. NOTIFY packets usually > > contain an SOA RR in their question section. You're getting NOTIFYs > > without any SOA. That could mean some sort of packet > > truncation/corruption, or it could mean a problem (e.g. bug, > > resource issue) with the master, such that it is sending malformed > > NOTIFY packets. If the master is having those sorts of problems, > > it's likely that zone transfers are failing too, so changes won't > > propagate. Definitely something I'd check out ASAP. > > Kevin, > > It appears to be more than that. It seems to be some type of active > probing that is happening, not just from master to slave. It started > showing up in logs on servers I have access to on 12/30. Others are > seeing this on their servers, as well. So, either BIND just started > doing it for everyone, or someone is doing some type of automated scan > of name servers on the 'net. > > It may not be an attack-type scan, because it has not been happening > with great frequency. It could be an early warning of a larger > attack, a very small scale attack, or something as harmless as some > type of DNS s/w survey. In fact, we have the answer: 12/30/02-00:16:44.089887 [**] [1:1616:1] DNS named version attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 131.193.178.100:1264 -> xxx.xxx.xxx.xxx:53 The above happened at the same time as one of the messages regarding a malformed NOTIFY. 100.178.193.131.in-addr.arpa is an alias for 100.0-24.178.193.131.in-addr.arpa. 100.0-24.178.193.131.in-addr.arpa domain name pointer network-surveys.cr.yp.to. -rob (You gotta love when someone responds to their own messages. Not!) -- Attached file included as plaintext by Ecartis -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+FPUNOVBTTvic5hMRAnImAJ4/6hpvSw4CsCOuqvwGSdG8rpDQcwCg+QDC vKXet+Fi0gWPeb2G6iZWi2w= =HuwR -----END PGP SIGNATURE-----