nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exploit for DNS Cache Poisoning - RELEASED

From: Graeme Fowler <graeme () graemef net>
Date: Fri, 25 Jul 2008 23:25:30 +0100
On Fri, 2008-07-25 at 18:14 -0400, Pete Carah wrote:

I saw much more than this *from the same address* starting two days ago, 
and from several other blocks belonging to the same university starting 
last week, to my home router and another server.  So far my better 
connected servers haven't been hit hard. (and no non-auto answer from 
"security" at that university...)


I saw this earlier in the week, along with queries for a domain name
which happens to have been registered by Dan Kaminsky, so I emailed him
about it. The addresses in question at Georgia Tech appear to be in use
as part of Doxpara's scan for unpatched systems, which he confirmed.

For those who are bothered, look out for queries from the same netblock
of the form:

rB6CIo_XgRlScY5K0iGISAAAAAAvygwAAAAAACujBAA=.ports.dns-integrity-scan.com/A/IN

It's probably obvious to one and all what they should be for. And the
fact that the queries are denied by correctly configured (ie. non-open)
resolvers makes it even less of a panic.

The sky isn't falling... yet.

Graeme
Previous By Date Next
Previous By Thread Next

Current thread: