Security Incidents mailing list archives

Re: repeated zone transfer denied

From: Dave Dittrich <dittrich () cac washington edu>
Date: Tue, 9 Oct 2001 11:54:19 -0700 (PDT)

On Tue, 9 Oct 2001, Dave Dittrich wrote:

On Mon, 8 Oct 2001, Ray wrote:

I have got the following message in syslog file every 20 minutes for many
consecutive days. It appear to come from the same IP.  Anybody have idea
what he intend to do ?


Oct  8 05:40:34 myserver /usr/sbin/named[2073]: client 128.177.209.26#53383:
zone transfer denied
<repeated 4 times>


Could be this (pain in the #^$$) courtesy of Microsoft's default
configuration of Win2K and failure for it to stop trying after, oh
say, the first 100 failures!)...


I think I read Ray's error message too quickly.  I was refering to
refused zone UPDATES, not zone TRANSFERS.

Someone from Microsoft pointed out that DDNS queries don't use zone
transfers, which made me go back to the reports I see (every day)
of processed logs, which look like:


Unapproved zone updates:

57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXX.XXX.128.in-addr.arpa
57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXXXXX.washington.edu
                         [600 lines deleted]

115 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu
191 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu
560 occurrences of: denied update from [61.XXX.XXX.XX] for XXXX.org
596 occurrences of: denied update from [61.XXX.XX..X] for XXXX.org
60 occurrences of: denied update from [216.XXX.XX.XX] for XXXXXXX.washington.edu

(I'd hate to see the full system log!)

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

new pop3 exploit out? leon (Oct 05)
- Re: new pop3 exploit out? Valdis . Kletnieks (Oct 06)
  - RE: new pop3 exploit out? leon (Oct 06)
    - repeated zone transfer denied Ray (Oct 07)
    - Message not available
    - Re: repeated zone transfer denied Ray (Oct 07)
    - Re: repeated zone transfer denied Dave Dittrich (Oct 09)
    - Re: repeated zone transfer denied Dave Dittrich (Oct 09)
- RE: new pop3 exploit out? Alvaro Soto (Oct 07)
- <Possible follow-ups>
- RE: new pop3 exploit out? James Weiler (Oct 08)
- RE: new pop3 exploit out? Miller, Toby (Oct 09)