Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: repeated zone transfer denied

Re: repeated zone transfer denied

From: Dave Dittrich <dittrich_at_cac.washington.edu>
Date: Tue, 9 Oct 2001 11:54:19 -0700 (PDT)

On Tue, 9 Oct 2001, Dave Dittrich wrote:

> On Mon, 8 Oct 2001, Ray wrote:
>
> > I have got the following message in syslog file every 20 minutes for many
> > consecutive days. It appear to come from the same IP. Anybody have idea
> > what he intend to do ?
> >
> >
> > Oct 8 05:40:34 myserver /usr/sbin/named[2073]: client 128.177.209.26#53383:
> > zone transfer denied
> > <repeated 4 times>
>
> Could be this (pain in the #^$$) courtesy of Microsoft's default
> configuration of Win2K and failure for it to stop trying after, oh
> say, the first 100 failures!)...

I think I read Ray's error message too quickly. I was refering to
refused zone UPDATES, not zone TRANSFERS.

Someone from Microsoft pointed out that DDNS queries don't use zone
transfers, which made me go back to the reports I see (every day)
of processed logs, which look like:

Unapproved zone updates:

57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXX.XXX.128.in-addr.arpa
57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXXXXX.washington.edu
                         [600 lines deleted]

115 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu
191 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu
560 occurrences of: denied update from [61.XXX.XXX.XX] for XXXX.org
596 occurrences of: denied update from [61.XXX.XX..X] for XXXX.org
60 occurrences of: denied update from [216.XXX.XX.XX] for XXXXXXX.washington.edu

(I'd hate to see the full system log!) 

--
Dave Dittrich                           Computing & Communications
dittrich_at_cac.washington.edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington
PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
--
Dave Dittrich                           Computing & Communications
dittrich_at_cac.washington.edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington
PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Oct 09 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos