Security Incidents mailing list archives
Re: ?
From: jburdge () AVENTAIL COM (Jon Burdge)
Date: Mon, 7 Feb 2000 10:04:02 -0800
What he's seeing is that one of itprotect.de's authoritative nameservers has it's ip address listed as 127.0.0.1. I'm not familiar enough with bind to make more than an educated guess, but I imagine it might be a bad thing if bind tried to make a query to loopback, which is why it's checked for and logged. sol:/home/jon$ nslookup Default Server: [edit] Address: [edit]
server admii.arl.mil
Default Server: admii.arl.mil Addresses: 128.63.5.4, 128.63.31.4
set query=ns itprotect.de.
Server: admii.arl.mil Addresses: 128.63.5.4, 128.63.31.4 Non-authoritative answer: itprotect.de nameserver = krake.wse.de itprotect.de nameserver = ns-pri.sne.de itprotect.de nameserver = picalon.gun.de itprotect.de nameserver = ns-sec.sne.de itprotect.de nameserver = ns.datakontor.de Authoritative answers can be found from: krake.wse.de internet address = 194.231.184.1 ns-pri.sne.de internet address = 194.231.170.2 picalon.gun.de internet address = 192.109.159.1 ns-sec.sne.de internet address = 194.231.170.15 ns.datakontor.de internet address = 127.0.0.1
Does anyone know if this is an attempt to break or dos a nameserver?
-----Original Message----- From: Drissel, James W. [mailto:james.drissel () CMET AF MIL] Sent: Thursday, February 03, 2000 2:59 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: ? Just a guess, but what if a packet with your mac address arrived from outside with a forged IP header listing your IP as the source IP and 127.0.0.1 as the destination? Would this do it? James Drissel -----Original Message----- From: C. [mailto:claudiu.ionescu () SCALAJWT RO] Sent: Thursday, February 03, 2000 3:33 AM To: INCIDENTS () SECURITYFOCUS COM Subject: ? What could cause this in my logs: Feb 3 00:38:47 main named[25851]: ns_forw: query(ITPROTECT.DE) Bogus LOOPBACK A RR (ns.datakontor.de:127.0.0.1) Any ideea?