Odd log messages from ISC BIND named
Mark E. Mallett
mem at mv.mv.com
Tue Feb 3 17:12:53 EST 2009
On Tue, Feb 03, 2009 at 04:55:22PM -0500, Ben Scott wrote:
> On Tue, Feb 3, 2009 at 1:11 PM, Mark E. Mallett <mem at mv.mv.com> wrote:
> > It's possible that somebody's testing using random query names instead
> > of "." -- "." is pretty easy to look for in the logs, but the random
> > names are more difficult.
>
> So why not just query for <google.com.> or something else that's
> legitimate and quite common? These long domain names are obviously
> bogus, so it's almost as easy to filter for them. Just look for any
> query which doesn't include a known gTLD or ccTLD.
My thought was that in the recent attack, using ".", the attacker gets
the nameserver to return the list of root servers (or at least the root
hints) when the nameserver is open for recursion. That's a reasonably
large result. Those names you gave don't have a '.' in them so I
think they will return that same big result (in that same case).
I guess they really aren't harder to look for in the logs, though; but
you have to know to look for something other than '.' .
> > Anyway that's just guessing.
>
> Yah, me too in the above. :) It's not like we can see into the
> assumed attackers' minds.
Yeah. Could be some probing for something completely different.
mm
More information about the gnhlug-discuss
mailing list