Security Incidents mailing list archives
Re: DNS unapproved AXFR
From: Chris Keladis <Chris.Keladis () CMC CWO NET AU>
Date: Mon, 21 Aug 2000 19:51:37 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrea, You have to be rather carefull determining what is an attack and what isn't when dealing with AXFR's. There is ~5% (read: a small amount) of semi-legit AXFR traffic.. Could be a new Linux user who just worked out the wonders of dig or host - -l, it could be some DNS testing page on the web, it could be some badly written software that unbeknown to the user, performs an AXFR.. As you mentioned you received other scans, so if you can correlate those scans in some way to the AXFRs, then you have every right to believe you are being probed/attacked, but i wouldn't raise alerts when somebody has just done an AXFR on your name servers. All the same, keep a strict eye on AXFRs.. The other 95% is usually rogue :) Regards, Chris. At 09:36 AM 8/21/00 +0200, Andrea Vettori wrote:
Hi, today I've noticed these lines in the logs (the ns allows transfer only between the master and the slaves) : Aug 19 16:55:31 ns named[9119]: unapproved AXFR from [140.233.20.99].1423 for "euromacchine.it" (acl) Aug 19 16:56:30 ns named[9119]: unapproved AXFR from [140.233.20.99].1503 for "euromacchine.it" (acl) Aug 19 23:32:04 ns named[9119]: unapproved AXFR from [203.75.204.245].1580 for "simatengineering.it" (acl) Aug 19 23:59:57 ns named[9119]: unapproved AXFR from [140.233.20.99].1460 for "plas.it" (acl) Aug 20 00:51:10 ns named[9119]: unapproved AXFR from [140.233.20.99].4574 for "niceforyou.it" (acl) Can these prelude an attack on our primary DNS server ? And why the AXFR on that domains and not on the other (.it, .com and .net) the server contains ? P.S. We receive one scan a day on the usual ports (IMAP, POP2, >1024, ecc.). Today someone has scan our servers for port 98 which iana port numbers says it is bind to tacnews (that i don't know what is it). Thank you -- Ing. Andrea Vettori Inetronics An Internet Centric Company
Chris Keladis System/Security Administrator Custom Management Centre Cable & Wireless Optus. Phone: (02) 9775-5312 Mobile: (0402) 067-375 E-Mail: Chris.Keladis () cmc cwo net au -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOaKTeSEx0akmf5vwEQKQSQCfbbErw7YnkuJKvI8k3m3J//W8mJUAn0a5 3qqvsL1b+M6pKs3gZDas6L/h =KnKP -----END PGP SIGNATURE-----
Current thread:
- DNS unapproved AXFR Andrea Vettori (Aug 21)
- Re: DNS unapproved AXFR Dan Hollis (Aug 21)
- Re: DNS unapproved AXFR Chris Keladis (Aug 21)
- Re: DNS unapproved AXFR Bjorn Djupvik (Aug 22)
- Re: DNS unapproved AXFR Ian Eure (Aug 22)