Re: Large number of BIND probes.

[core.lists.incidents () CORE-SDI COM (Iván Arce)]

Erik Fichtner wrote:

> On Wed, Dec 29, 1999 at 10:56:24AM -0600, Craig H. Rowland wrote:
> > Last night I received a very large number of probes to TCP port 53 on one
> > of my DNS servers. I filter out all TCP port 53 traffic to these systems
> > except for secondaries/primaries for zone transfers, but would like to
> > know if anyone has seen a pickup in this activity as well. There were six
> > separate hosts yesterday alone that tried. This is a new record for me.
> > Seems like there may be a new BIND attack going around. :(
>
> I only got hit with one set of version.bind probes last night, and only on
> the primary nameservers listed with the InterNIC, but they were rather
> persistant at trying to figure out if it was a bind4 or a bind8 with
> version.bind shut off..

This most likely means that someone out there is trying to find
BIND versions vulnerable to the NXT bug (8.2)

See http://www.securityfocus.com/vdb/bottom.html?vid=788
and http://www.cert.org/advisories/CA-99-14-bind.html

-ivan

--
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email: iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================

--- For a personal reply use iarce () core-sdi com