Security Incidents mailing list archives

Re: DNS unapproved AXFR

From: Chris Keladis <Chris.Keladis () CMC CWO NET AU>
Date: Mon, 21 Aug 2000 19:51:37 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrea,

You have to be rather carefull determining what is an attack and what isn't
when dealing with AXFR's.

There is ~5% (read: a small amount) of semi-legit AXFR traffic..

Could be a new Linux user who just worked out the wonders of dig or host
- -l, it could be some DNS testing page on the web, it could be some badly
written software that unbeknown to the user, performs an AXFR..

As you mentioned you received other scans, so if you can correlate those
scans in some way to the AXFRs, then you have every right to believe you
are being probed/attacked, but i wouldn't raise alerts when somebody has
just done an AXFR on your name servers.

All the same, keep a strict eye on AXFRs.. The other 95% is usually rogue :)



Regards,

Chris.

At 09:36 AM 8/21/00 +0200, Andrea Vettori wrote:

Hi,

today I've noticed these lines in the logs (the ns allows transfer only
between the master and the slaves) :

Aug 19 16:55:31 ns named[9119]: unapproved AXFR from [140.233.20.99].1423
for "euromacchine.it" (acl)
Aug 19 16:56:30 ns named[9119]: unapproved AXFR from [140.233.20.99].1503
for "euromacchine.it" (acl)
Aug 19 23:32:04 ns named[9119]: unapproved AXFR from [203.75.204.245].1580
for "simatengineering.it" (acl)
Aug 19 23:59:57 ns named[9119]: unapproved AXFR from [140.233.20.99].1460
for "plas.it" (acl)
Aug 20 00:51:10 ns named[9119]: unapproved AXFR from [140.233.20.99].4574
for "niceforyou.it" (acl)

Can these prelude an attack on our primary DNS server ?

And why the AXFR on that domains and not on the other (.it, .com and .net)
the server contains ?

P.S.

We receive one scan a day on the usual ports (IMAP, POP2, >1024, ecc.).
Today someone has scan our servers for port 98 which iana port numbers says
it is bind to tacnews (that i don't know what is it).


Thank you

--
Ing. Andrea Vettori
Inetronics
An Internet Centric Company


Chris Keladis

System/Security Administrator
Custom Management Centre
Cable & Wireless Optus.

Phone: (02) 9775-5312
Mobile: (0402) 067-375
E-Mail: Chris.Keladis () cmc cwo net au



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOaKTeSEx0akmf5vwEQKQSQCfbbErw7YnkuJKvI8k3m3J//W8mJUAn0a5
3qqvsL1b+M6pKs3gZDas6L/h
=KnKP
-----END PGP SIGNATURE-----

Current thread:

DNS unapproved AXFR Andrea Vettori (Aug 21)
- Re: DNS unapproved AXFR Dan Hollis (Aug 21)
- Re: DNS unapproved AXFR Chris Keladis (Aug 21)
- Re: DNS unapproved AXFR Bjorn Djupvik (Aug 22)
- Re: DNS unapproved AXFR Ian Eure (Aug 22)