Security Incidents mailing list archives

Re: DNS update queries: another sort of suspicious activity.

From: Flynnh () MONT DISA MIL (Flynn, Harold M. III)
Date: Mon, 31 Jan 2000 21:14:12 -0000


I had a similar incident myself, although this was involving an NT 4.0
machine, if I remember correctly.

I received mail from an SA out in California with the ip address of one of
the customers on the network, stating he'd been receiving numerous update
attempts on one of the domains he was hosting at his site.  After a look
through the accounting logs, I figured out who it was, and gave him a call.

We got an idea of what was going on from what he was running there at the
house.  Apparently, he had a domain hosted at the shop out in CA, and was
pulling down the mail from the domain to his house.  For some reason, the
machine (obviously misconfigured) was attempting to send domain updates.  By
looking at logs, everytime he'd connect, he'd send a dns update to his
hosting service every 2 or 3 minutes.  This would occur for the duration of
his connection (over dialup).

I thought he might have been trying to make some sort of DynDNS updates as
well, but never could confirm that, as he fixed the problem, and I left the
shop shortly thereafter.

-----Original Message-----
From: Patrick Oonk [SMTP:patrick () PINE NL]
Sent: Friday, January 28, 2000 2:02 PM
To:   INCIDENTS () SECURITYFOCUS COM
Subject:      Re: DNS update queries: another sort of suspicious activity.

On Fri, Jan 28, 2000 at 04:12:38PM +0300, Fyodor wrote:

Greetings,
 Today noticed quite interesting logs from my named:

Jan 28 05:56:54 ns named[14783]: unapproved update from

[192.168.0.4].126 for  myzone.com

Jan 28 05:57:09 ns last message repeated 2 times
...

Looks like someone tried to spoof DNS update queries to `update'

zonefiles

of my nameserver. I will try to dissect DNS update query tonight to see

if I

could write decent snort rules to detect this sort of attack.


Fydor,

this seems to be a 'feature' of Windows 2000.
If you had portscanned the offending box you might
have seen it was a Win2k box.

      patrick

Current thread:

Re: DNS update queries: another sort of suspicious activity. Flynn, Harold M. III (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. H D Moore (Feb 10)
- <Possible follow-ups>
- Re: DNS update queries: another sort of suspicious activity. Rob Quinn (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. Kevin (Sparty) Broderick (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. Bill Royds (Feb 01)
- Re: DNS update queries: another sort of suspicious activity. Data_surge (Feb 03)