Security Incidents mailing list archives
Re: Microsoft version.binding us now?
From: eilander () COBWEB NL (Thijs Eilander)
Date: Wed, 31 May 2000 01:31:49 +0200
Same here, every +/- 4 minutes they poll for our VERSION.BIND. I resolved one of the ipnumbers to something.windowsupdate.com and I contacted the technical contacts. I appended their answer in my email. I think I break their system because our nameservers won't accept queries for domains we are not hosting. So their system won't get a result (except for a 'query refused' or something) and will try again the next time when someone from our iprange visits their site. Just my thoughts, I have no clue if it's correct ;) -----Original Message----- From: Information Security [mailto:netsec () microsoft com] Sent: dinsdag 30 mei 2000 22:49 To: 'eilander () cobweb nl' Subject: RE: unwanted connections The traffic that you are seeing is actually an automatic feature of the new load balancing dns that we are using (the product is 3dns, www.3dns.com). Basically, as your users hit our sites that use this system, the 3dns system needs to find out which data center that they are closest to, to try and improve performance. The system does this by sending a packet to port 53 at your domain. The system times the round trip, and uses that metric to calculate the closest servers. It looks like an aborted zone transfer normally, or a dns look-up that went wrong. The system apparently caches the information, and will periodically check (every couple of weeks) to make sure that it is still accurate. Decent idea in theory but there are some glitches in the implementation. The teams using the software here are working with the vender to get the problems ironed out. Meanwhile, they've implemented an exclusion list for places where these runaway connections occure. If you can send us the IP address range you are seeing this on in CIDR format, the team will add you to the exclusion list.
Current thread:
- Re: Microsoft version.binding us now? Fernando Cardoso (May 30)
- <Possible follow-ups>
- Re: Microsoft version.binding us now? Klaus Steding-Jessen (May 30)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Thijs Eilander (May 30)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 02)
- Scan of the Week continued Lance Spitzner (Jun 03)
- very strange scan patterns Joe H (Jun 05)
- Re: very strange scan patterns John Kristoff (Jun 05)
- Sub-7 Khan, Mansoor (Jun 05)
- Re: Sub-7 James Stevenson (Jun 08)
- Re: Sub-7 Matthew F. Caldwell (Jun 08)
- Re: Sub-7 nine (Jun 08)
- Strange scans - inquisitive question Paul Rogers (Jun 09)