Security Incidents mailing list archives
Re: DNS update queries: another sort of suspicious activity.
From: patrick () PINE NL (Patrick Oonk)
Date: Fri, 28 Jan 2000 21:02:16 +0100
On Fri, Jan 28, 2000 at 04:12:38PM +0300, Fyodor wrote:
Greetings, Today noticed quite interesting logs from my named: Jan 28 05:56:54 ns named[14783]: unapproved update from [192.168.0.4].126 for myzone.com Jan 28 05:57:09 ns last message repeated 2 times ... Looks like someone tried to spoof DNS update queries to `update' zonefiles of my nameserver. I will try to dissect DNS update query tonight to see if I could write decent snort rules to detect this sort of attack.
Fydor, this seems to be a 'feature' of Windows 2000. If you had portscanned the offending box you might have seen it was a Win2k box. patrick -- Patrick Oonk - PO1-6BONE - patrick () pine nl - www.pine.nl/~patrick Pine Internet B.V. PINE31337-RIPE PGP key ID BE7497F1 Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ ---- Pine Security Digest - http://security.nl/ (Dutch) ---- Excuse of the day: Your excuse is: poor power conditioning <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: Korea (again), (continued)
- Re: Korea (again) Thomas Molina (Jan 27)
- Re: Korea (again) Rob Quinn (Jan 28)
- Re: Korea (again) Granquist, Lamont (Jan 27)
- Re: Korea (was RE: ?) horio shoichi (Jan 26)
- Re: Korea (was RE: ?) David Brumley (Jan 27)
- Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
- Re: Korea (was RE: ?) Arrigo Triulzi (Jan 28)
- Re: Korea (was RE: ?) Dug Song (Jan 28)
- Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
- DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
- Recent Scans Edwin Covert (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Rob Quinn (Jan 31)
- Re: Socks port 1080 Randy Mclean (Jan 21)
- Re: Socks port 1080 Richard Bejtlich (Jan 21)
- Unusual Netstat Listing Rob (Jan 22)