Odd log messages from ISC BIND named
Ben Scott
dragonhawk at gmail.com
Tue Feb 3 00:11:44 EST 2009
So, we had around 100 of these show up in the log from Sunday on
<liberty.gnhlug.org>, all from the same IP address, all with similar
but apparently never the same name pattern:
client 192.0.2.42 query (cache)
'aaccmmaaaafwx0000dlaaabaaafbbfpg/NS/IN' denied: 1 Time(s)
client 192.0.2.42 query (cache)
'abbcneaaaafwx0000dlaaabaaafbkkag/NS/IN' denied: 1 Time(s)
client 192.0.2.42 query (cache)
'acdbbbaaaafwx0000dlaaabaaafbpkeo/NS/IN' denied: 1 Time(s)
(IP address changed to protect the guilty.) Speculation on what this
is? An attempt to exploit the Kaminsky vulnerability? A DDoS attack
that had a zombie directed at us by mistake? Some kind of bizarre
dictionary attack?
(For those wondering what this is: BIND is the reference DNS
implementation. ISC is the organization which maintains it. "named"
(name daemon) is the main DNS server program from BIND. These log
messages are DNS queries sent to the GNHLUG DNS server, but which were
rejected because we don't provide recursive service to non-local
hosts.)
-- Ben
More information about the gnhlug-discuss
mailing list