Security Incidents mailing list archives
Re: repeated zone transfer denied
From: Dave Dittrich <dittrich () cac washington edu>
Date: Tue, 9 Oct 2001 11:54:19 -0700 (PDT)
On Tue, 9 Oct 2001, Dave Dittrich wrote:
On Mon, 8 Oct 2001, Ray wrote:I have got the following message in syslog file every 20 minutes for many consecutive days. It appear to come from the same IP. Anybody have idea what he intend to do ? Oct 8 05:40:34 myserver /usr/sbin/named[2073]: client 128.177.209.26#53383: zone transfer denied <repeated 4 times>Could be this (pain in the #^$$) courtesy of Microsoft's default configuration of Win2K and failure for it to stop trying after, oh say, the first 100 failures!)...
I think I read Ray's error message too quickly. I was refering to refused zone UPDATES, not zone TRANSFERS. Someone from Microsoft pointed out that DDNS queries don't use zone transfers, which made me go back to the reports I see (every day) of processed logs, which look like: Unapproved zone updates: 57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXX.XXX.128.in-addr.arpa 57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXXXXX.washington.edu [600 lines deleted] 115 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu 191 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu 560 occurrences of: denied update from [61.XXX.XXX.XX] for XXXX.org 596 occurrences of: denied update from [61.XXX.XX..X] for XXXX.org 60 occurrences of: denied update from [216.XXX.XX.XX] for XXXXXXX.washington.edu (I'd hate to see the full system log!) -- Dave Dittrich Computing & Communications dittrich () cac washington edu University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 -- Dave Dittrich Computing & Communications dittrich () cac washington edu University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new pop3 exploit out? leon (Oct 05)
- Re: new pop3 exploit out? Valdis . Kletnieks (Oct 06)
- RE: new pop3 exploit out? leon (Oct 06)
- repeated zone transfer denied Ray (Oct 07)
- Message not available
- Re: repeated zone transfer denied Ray (Oct 07)
- Re: repeated zone transfer denied Dave Dittrich (Oct 09)
- Re: repeated zone transfer denied Dave Dittrich (Oct 09)
- RE: new pop3 exploit out? leon (Oct 06)
- Re: new pop3 exploit out? Valdis . Kletnieks (Oct 06)
- <Possible follow-ups>
- RE: new pop3 exploit out? James Weiler (Oct 08)
- RE: new pop3 exploit out? Miller, Toby (Oct 09)