Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS update queries: another sort of suspicious activity.

From: patrick () PINE NL (Patrick Oonk)
Date: Fri, 28 Jan 2000 21:02:16 +0100

On Fri, Jan 28, 2000 at 04:12:38PM +0300, Fyodor wrote:

Greetings,
 Today noticed quite interesting logs from my named:

Jan 28 05:56:54 ns named[14783]: unapproved update from [192.168.0.4].126 for  myzone.com
Jan 28 05:57:09 ns last message repeated 2 times
...

Looks like someone tried to spoof DNS update queries to `update' zonefiles
of my nameserver. I will try to dissect DNS update query tonight to see if I
could write decent snort rules to detect this sort of attack.

 
Fydor,

this seems to be a 'feature' of Windows 2000.
If you had portscanned the offending box you might
have seen it was a Win2k box. 

        patrick

-- 
 Patrick Oonk - PO1-6BONE - patrick () pine nl - www.pine.nl/~patrick
 Pine Internet B.V.      PINE31337-RIPE        PGP key ID BE7497F1  
 Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
 ----    Pine Security Digest - http://security.nl/ (Dutch)   ----
 Excuse of the day: Your excuse is: poor power conditioning


<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>
Previous By Date Next
Previous By Thread Next

Current thread: