Odd log messages from ISC BIND named
Chip Marshall
chip at 2bithacker.net
Tue Feb 3 11:07:42 EST 2009
On February 03, 2009, Cole Tuininga sent me the following:
> On Tue, 2009-02-03 at 00:11 -0500, Ben Scott wrote:
> > client 192.0.2.42 query (cache)
> > 'aaccmmaaaafwx0000dlaaabaaafbbfpg/NS/IN' denied: 1 Time(s)
> > client 192.0.2.42 query (cache)
> > 'abbcneaaaafwx0000dlaaabaaafbkkag/NS/IN' denied: 1 Time(s)
> > client 192.0.2.42 query (cache)
> > 'acdbbbaaaafwx0000dlaaabaaafbpkeo/NS/IN' denied: 1 Time(s)
>
> I'd guess they were either trying to do a "quick Kaminsky scan" or (less
> likely) looking for an open resolver. Just my $.02.
Could be cache-probing as well. Older BINDs didn't link the allow-
recursion and allow-query-cache settings, so very often people would
disallow recursive queries but still allow queries to be answered
from cache. Not sure how useful it is to know what people have been
looking up, but I assume it could be used to aid in another attack.
By the way, does anyone else find the new ISC site to be really annoying
to navigate? Instead of nice lists for BIND version and documentation,
they've embedded all the links inside paragraphs of text.
--
Chip Marshall <chip at 2bithacker.net>
http://weblog.2bithacker.net/ KB1QYW PGP key ID 43C4819E
v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20090203/a519ef74/attachment.bin
More information about the gnhlug-discuss
mailing list