DoS?
Sam Pointer
sam.pointer at hpdsoftware.com
Thu Oct 24 13:26:59 UTC 2002
I am getting bombarded with entries in my query and syslog files. Here is a
small subset:
BIND query.log:
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA
client 200.76.208.65#2761: query: PRDCMX01.hpdsc.com IN SOA
client 200.76.208.65#2762: query: ns1.hpdsc.com IN A
client 200.76.208.65#22722: query: 1254130450450-3 IN TKEY
client 200.76.208.65#22723: query: 1254130450450-2 IN TKEY
client 200.76.208.65#22724: query: 1254130450450-2 IN TKEY
client 200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com IN
SRV
client 200.76.208.65#22728: query: 1305670058002-3 IN TKEY
client 200.76.208.65#22729: query: 1305670058002-2 IN TKEY
client 200.76.208.65#22730: query: 1305670058002-2 IN TKEY
client 200.76.208.70#54177: query: hpdsc.com IN SOA
client 200.76.208.65#22731: query: 1305670058002-3 IN TKEY
client 200.76.208.65#22732: query: 1305670058002-2 IN TKEY
client 200.76.208.65#22733: query: 1305670058002-2 IN TKEY
client 200.76.208.70#54177: query: _ldap._tcp.hpdsc.com IN SOA
client 200.76.208.65#22734: query: 1305670058002-3 IN TKEY
client 200.76.208.65#22735: query: 1305670058002-2 IN TKEY
client 200.76.208.65#22736: query: 1305670058002-2 IN TKEY
client 200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
client 200.76.208.65#22737: query: 1305670058002-3 IN TKEY
client 200.76.208.65#22738: query: 1305670058002-2 IN TKEY
client 200.76.208.65#22739: query: 1305670058002-2 IN TKEY
client 200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#22740: query: 1305670058002-3 IN TKEY
client 200.76.208.65#22741: query: 1305670058002-2 IN TKEY
client 200.76.208.65#22742: query: 1305670058002-2 IN TKEY
client 200.76.208.70#54177: query: _ldap._tcp.gc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#22743: query: 1305670058002-3 IN TKEY
client 200.76.208.65#22744: query: 1305670058002-2 IN TKEY
client 200.76.208.65#22745: query: 1305670058002-2 IN TKEY
client 200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#22746: query: 1305670058002-3 IN TKEY
client 200.76.208.65#22747: query: 1305670058002-2 IN TKEY
client 200.76.208.65#22748: query: 1305670058002-2 IN TKEY
client 200.76.208.70#54177: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com IN
SOA
client 200.76.208.65#22749: query: 1305670058002-3 IN TKEY
client 200.76.208.65#22750: query: 1305670058002-2 IN TKEY
client 200.76.208.65#22751: query: 1305670058002-2 IN TKEY
client 200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA
...
client 200.76.208.70#54177: query:
_kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
client 200.76.208.65#9051: query: _gc._tcp.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _gc._tcp.hpdsc.com IN SOA
client 200.76.208.65#9051: query:
_gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
client 200.76.208.70#54177: query:
_gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
client 200.76.208.65#9051: query: _kerberos._udp.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _kerberos._udp.hpdsc.com IN SOA
client 200.76.208.65#9051: query: PRDCMX01.hpdsc.com IN SOA
client 200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA
client 200.76.208.65#9051: query: _kpasswd._tcp.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _kpasswd._tcp.hpdsc.com IN SOA
client 200.76.208.65#9051: query: _kpasswd._udp.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _kpasswd._udp.hpdsc.com IN SOA
client 200.76.208.65#9132: query: hpdsc.com IN SOA
client 200.76.208.70#54177: query: hpdsc.com IN SOA
client 200.76.208.65#9142: query: hpdsc.com IN SOA
client 200.76.208.70#54177: query: hpdsc.com IN SOA
client 195.167.246.4#1027: query: hpdsc.com IN SOA
client 200.76.208.65#9158: query: _ldap._tcp.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _ldap._tcp.hpdsc.com IN SOA
client 200.76.208.65#9172: query:
_ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
client 200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
client 200.76.208.65#9183: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9202: query: _ldap._tcp.gc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _ldap._tcp.gc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9202: query:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9218: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com IN
SOA
client 200.76.208.70#54177: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com IN
SOA
client 200.76.208.65#9226: query: gc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9226: query: gc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9241: query:
48e4f905-3da4-4346-abd4-391027e39ace._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9251: query: _kerberos._tcp.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _kerberos._tcp.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9259: query:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9259: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9259: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9259: query: _kerberos._tcp.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _kerberos._tcp.hpdsc.com IN SOA
client 200.76.208.65#9259: query:
_kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
client 200.76.208.70#54177: query:
_kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
client 200.76.208.65#9259: query: _gc._tcp.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _gc._tcp.hpdsc.com IN SOA
client 200.76.208.65#9259: query:
_gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
client 200.76.208.70#54177: query:
_gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA
client 200.76.208.65#9259: query: _kerberos._udp.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _kerberos._udp.hpdsc.com IN SOA
client 200.76.208.65#9259: query: _kpasswd._tcp.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _kpasswd._tcp.hpdsc.com IN SOA
client 200.76.208.65#9259: query: PRDCMX01.hpdsc.com IN SOA
client 200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA
client 200.76.208.65#9259: query: _kpasswd._udp.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _kpasswd._udp.hpdsc.com IN SOA
client 200.76.208.65#9343: query: hpdsc.com IN SOA
client 200.76.208.70#54177: query: hpdsc.com IN SOA
client 200.76.208.65#9351: query: hpdsc.com IN SOA
client 200.76.208.70#54177: query: hpdsc.com IN SOA
client 200.76.208.65#9359: query: _ldap._tcp.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _ldap._tcp.hpdsc.com IN SOA
client 207.248.224.71#16916: query: _ldap._tcp.hpdsc.com IN SOA
...
client 200.76.208.65#6608: query: NS4.hpdsc.com IN A
client 200.76.208.65#6608: query: ns2.hpdsc.com IN A
client 200.76.208.65#6608: query: ns3.hpdsc.com IN A
ns1.hpdsc.com syslog:
Oct 24 14:00:32 ns1 named[799]: client 200.76.208.65#9261: update denied
Oct 24 14:00:47 ns1 last message repeated 2 times
Oct 24 14:01:24 ns1 named[799]: client 200.76.208.65#9268: update denied
Oct 24 14:00:47 ns1 last message repeated 2 times
Oct 24 14:01:24 ns1 named[799]: client 200.76.208.65#9268: update denied
Oct 24 14:01:39 ns1 last message repeated 2 times
Oct 24 14:02:16 ns1 named[799]: client 200.76.208.65#9276: update denied
Oct 24 14:01:39 ns1 last message repeated 2 times
Oct 24 14:02:16 ns1 named[799]: client 200.76.208.65#9276: update denied
Oct 24 14:02:31 ns1 last message repeated 2 times
Oct 24 14:03:08 ns1 named[799]: client 200.76.208.65#9283: update denied
Oct 24 14:02:31 ns1 last message repeated 2 times
Oct 24 14:03:08 ns1 named[799]: client 200.76.208.65#9283: update denied
Oct 24 14:03:23 ns1 last message repeated 2 times
Oct 24 14:04:01 ns1 named[799]: client 200.76.208.65#9291: update denied
Oct 24 14:03:23 ns1 last message repeated 2 times
Oct 24 14:04:01 ns1 named[799]: client 200.76.208.65#9291: update denied
Oct 24 14:04:16 ns1 last message repeated 2 times
Oct 24 14:04:53 ns1 named[799]: client 200.76.208.65#9298: update denied
Oct 24 14:04:16 ns1 last message repeated 2 times
Oct 24 14:04:53 ns1 named[799]: client 200.76.208.65#9298: update denied
Oct 24 14:05:08 ns1 last message repeated 2 times
Oct 24 14:05:45 ns1 named[799]: client 200.76.208.65#9305: update denied
Oct 24 14:05:08 ns1 last message repeated 2 times
Oct 24 14:05:45 ns1 named[799]: client 200.76.208.65#9305: update denied
Oct 24 14:06:00 ns1 last message repeated 2 times
Oct 24 14:06:38 ns1 named[799]: client 200.76.208.65#9312: update denied
Oct 24 14:06:00 ns1 last message repeated 2 times
Oct 24 14:06:38 ns1 named[799]: client 200.76.208.65#9312: update denied
Oct 24 14:06:53 ns1 last message repeated 2 times
Oct 24 14:07:30 ns1 named[799]: client 200.76.208.65#9320: update denied
Oct 24 14:06:53 ns1 last message repeated 2 times
Oct 24 14:07:30 ns1 named[799]: client 200.76.208.65#9320: update denied
Oct 24 14:07:35 ns1 named[799]: client 200.76.208.65#9320: update denied
Oct 24 14:07:39 ns1 named[799]: dynamic update failed: 'RRset exists (value
dependent)' prerequisite not satisfied (NXRRSET)
Oct 24 14:07:44 ns1 named[799]: dynamic update failed: 'RRset exists (value
dependent)' prerequisite not satisfied (NXRRSET)
Oct 24 14:07:45 ns1 named[799]: client 200.76.208.65#9320: update denied
Oct 24 14:07:54 ns1 named[799]: dynamic update failed: 'RRset exists (value
dependent)' prerequisite not satisfied (NXRRSET)
Oct 24 14:08:22 ns1 named[799]: client 200.76.208.65#9333: update denied
Oct 24 14:07:45 ns1 last message repeated 2 times
Oct 24 14:08:22 ns1 named[799]: client 200.76.208.65#9333: update denied
Oct 24 14:08:37 ns1 last message repeated 2 times
These two machines 200.76.208.65\70 do not belong to me and are not
affiliated with me in any way. I have black-holed the IP addresses but still
it persists. Any ideas?
Either somebody is pretending to have a Win2K machine on my domain, which is
trying to add it's Win2K records to my domain, or else they are malicious
bombarding me.
Any help would be greatly appreciated.
Sam Pointer [Network, Security & UNIX]
_________________________________________
HPD Software Ltd. (www.hpdsoftware.com)
sam.pointer at hpdsoftware.com
This email and any attachments are strictly confidential and are intended
solely for the addressee. If you are not the intended recipient you must
not disclose, forward, copy or take any action in reliance on this message
or its attachments. If you have received this email in error please notify
the sender as soon as possible and delete it from your computer systems.
Any views or opinions presented are solely those of the author and do not
necessarily reflect those of HPD Software Limited or its affiliates.
At present the integrity of email across the internet cannot be guaranteed
and messages sent via this medium are potentially at risk. All liability
is excluded to the extent permitted by law for any claims arising as a re-
sult of the use of this medium to transmit information by or to
HPD Software Limited or its affiliates.
More information about the bind-users
mailing list