DoS?

Sam Pointer sam.pointer at hpdsoftware.com
Thu Oct 24 13:31:19 UTC 2002 

HP mexico DNS servers I think. Only affecting the nameserver listed as my
SOA...

-----Original Message-----
From: Drew Weaver [mailto:drew.weaver at thenap.com]
Sent: 24 October 2002 14:49
To: 'Sam Pointer'; 'comp-protocols-dns-bind at isc.org'
Subject: RE: DoS?


Ah you're getting those too? I got a bunch of that from some Fujitsu DNS
servers ... Tuesday night.

-Drew


-----Original Message-----
From: Sam Pointer [mailto:sam.pointer at hpdsoftware.com] 
Sent: Thursday, October 24, 2002 9:27 AM
To: comp-protocols-dns-bind at isc.org
Subject: DoS?


I am getting bombarded with entries in my query and syslog 
files. Here is a
small subset:
 
BIND query.log:
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: 
_ldap._tcp.pdc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV
client 200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.65#2761: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.65#2762: query: ns1.hpdsc.com IN A client 
200.76.208.65#22722:
query: 1254130450450-3 IN TKEY client 200.76.208.65#22723: query:
1254130450450-2 IN TKEY client 200.76.208.65#22724: query: 
1254130450450-2
IN TKEY client 200.76.208.70#54177: query: 
_ldap._tcp.pdc._msdcs.hpdsc.com
IN SRV client 200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com 
IN SRV client
200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV client
200.76.208.70#54177: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.h
pdsc.com IN
SRV client 200.76.208.65#22728: query: 1305670058002-3 IN TKEY client
200.76.208.65#22729: query: 1305670058002-2 IN TKEY client
200.76.208.65#22730: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query: hpdsc.com IN SOA client 200.76.208.65#22731:
query: 1305670058002-3 IN TKEY client 200.76.208.65#22732: query:
1305670058002-2 IN TKEY client 200.76.208.65#22733: query: 
1305670058002-2
IN TKEY client 200.76.208.70#54177: query: _ldap._tcp.hpdsc.com IN SOA
client 200.76.208.65#22734: query: 1305670058002-3 IN TKEY client
200.76.208.65#22735: query: 1305670058002-2 IN TKEY client
200.76.208.65#22736: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#22737: query: 1305670058002-3 IN TKEY client
200.76.208.65#22738: query: 1305670058002-2 IN TKEY client
200.76.208.65#22739: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN 
SOA client
200.76.208.65#22740: query: 1305670058002-3 IN TKEY client
200.76.208.65#22741: query: 1305670058002-2 IN TKEY client
200.76.208.65#22742: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query: _ldap._tcp.gc._msdcs.hpdsc.com IN SOA client
200.76.208.65#22743: query: 1305670058002-3 IN TKEY client
200.76.208.65#22744: query: 1305670058002-2 IN TKEY client
200.76.208.65#22745: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com 
IN SOA client
200.76.208.65#22746: query: 1305670058002-3 IN TKEY client
200.76.208.65#22747: query: 1305670058002-2 IN TKEY client
200.76.208.65#22748: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.h
pdsc.com IN
SOA client 200.76.208.65#22749: query: 1305670058002-3 IN TKEY client
200.76.208.65#22750: query: 1305670058002-2 IN TKEY client
200.76.208.65#22751: query: 1305670058002-2 IN TKEY client
200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA ... client
200.76.208.70#54177: query:
_kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#9051: query: _gc._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _gc._tcp.hpdsc.com IN SOA client
200.76.208.65#9051: query: 
_gc._tcp.Default-First-Site-Name._sites.hpdsc.com
IN SOA client 200.76.208.70#54177: query:
_gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#9051: query: _kerberos._udp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kerberos._udp.hpdsc.com IN SOA client
200.76.208.65#9051: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.65#9051: query: _kpasswd._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kpasswd._tcp.hpdsc.com IN SOA client
200.76.208.65#9051: query: _kpasswd._udp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kpasswd._udp.hpdsc.com IN SOA client
200.76.208.65#9132: query: hpdsc.com IN SOA client 200.76.208.70#54177:
query: hpdsc.com IN SOA client 200.76.208.65#9142: query: 
hpdsc.com IN SOA
client 200.76.208.70#54177: query: hpdsc.com IN SOA client
195.167.246.4#1027: query: hpdsc.com IN SOA client 200.76.208.65#9158:
query: _ldap._tcp.hpdsc.com IN SOA client 200.76.208.70#54177: query:
_ldap._tcp.hpdsc.com IN SOA client 200.76.208.65#9172: query:
_ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#9183: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN SOA client
200.76.208.70#54177: query: _ldap._tcp.pdc._msdcs.hpdsc.com IN 
SOA client
200.76.208.65#9202: query: _ldap._tcp.gc._msdcs.hpdsc.com IN SOA client
200.76.208.70#54177: query: _ldap._tcp.gc._msdcs.hpdsc.com IN SOA client
200.76.208.65#9202: query:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com 
IN SOA client
200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.hpdsc.com 
IN SOA client
200.76.208.65#9218: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.h
pdsc.com IN
SOA client 200.76.208.70#54177: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.h
pdsc.com IN
SOA client 200.76.208.65#9226: query: gc._msdcs.hpdsc.com IN SOA client
200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA client
200.76.208.65#9226: query: gc._msdcs.hpdsc.com IN SOA client
200.76.208.70#54177: query: gc._msdcs.hpdsc.com IN SOA client
200.76.208.65#9241: query:
48e4f905-3da4-4346-abd4-391027e39ace._msdcs.hpdsc.com IN SOA client
200.76.208.65#9251: query: _kerberos._tcp.dc._msdcs.hpdsc.com 
IN SOA client
200.76.208.70#54177: query: _kerberos._tcp.dc._msdcs.hpdsc.com 
IN SOA client
200.76.208.65#9259: query:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9259: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SOA
client 200.76.208.65#9259: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com 
IN SOA client
200.76.208.70#54177: query:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.hpdsc.com 
IN SOA client
200.76.208.65#9259: query: _kerberos._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kerberos._tcp.hpdsc.com IN SOA client
200.76.208.65#9259: query:
_kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.70#54177: query:
_kerberos._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#9259: query: _gc._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _gc._tcp.hpdsc.com IN SOA client
200.76.208.65#9259: query: 
_gc._tcp.Default-First-Site-Name._sites.hpdsc.com
IN SOA client 200.76.208.70#54177: query:
_gc._tcp.Default-First-Site-Name._sites.hpdsc.com IN SOA client
200.76.208.65#9259: query: _kerberos._udp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kerberos._udp.hpdsc.com IN SOA client
200.76.208.65#9259: query: _kpasswd._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kpasswd._tcp.hpdsc.com IN SOA client
200.76.208.65#9259: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.70#54177: query: PRDCMX01.hpdsc.com IN SOA client
200.76.208.65#9259: query: _kpasswd._udp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _kpasswd._udp.hpdsc.com IN SOA client
200.76.208.65#9343: query: hpdsc.com IN SOA client 200.76.208.70#54177:
query: hpdsc.com IN SOA client 200.76.208.65#9351: query: 
hpdsc.com IN SOA
client 200.76.208.70#54177: query: hpdsc.com IN SOA client
200.76.208.65#9359: query: _ldap._tcp.hpdsc.com IN SOA client
200.76.208.70#54177: query: _ldap._tcp.hpdsc.com IN SOA client
207.248.224.71#16916: query: _ldap._tcp.hpdsc.com IN SOA ... client
200.76.208.65#6608: query: NS4.hpdsc.com IN A client 200.76.208.65#6608:
query: ns2.hpdsc.com IN A client 200.76.208.65#6608: query: 
ns3.hpdsc.com IN
A
 
ns1.hpdsc.com syslog:
Oct 24 14:00:32 ns1 named[799]: client 200.76.208.65#9261: 
update denied Oct
24 14:00:47 ns1 last message repeated 2 times Oct 24 14:01:24 ns1
named[799]: client 200.76.208.65#9268: update denied Oct 24 14:00:47 ns1
last message repeated 2 times Oct 24 14:01:24 ns1 named[799]: client
200.76.208.65#9268: update denied Oct 24 14:01:39 ns1 last 
message repeated
2 times Oct 24 14:02:16 ns1 named[799]: client 
200.76.208.65#9276: update
denied Oct 24 14:01:39 ns1 last message repeated 2 times Oct 24 
14:02:16 ns1
named[799]: client 200.76.208.65#9276: update denied Oct 24 14:02:31 ns1
last message repeated 2 times Oct 24 14:03:08 ns1 named[799]: client
200.76.208.65#9283: update denied Oct 24 14:02:31 ns1 last 
message repeated
2 times Oct 24 14:03:08 ns1 named[799]: client 
200.76.208.65#9283: update
denied Oct 24 14:03:23 ns1 last message repeated 2 times Oct 24 
14:04:01 ns1
named[799]: client 200.76.208.65#9291: update denied Oct 24 14:03:23 ns1
last message repeated 2 times Oct 24 14:04:01 ns1 named[799]: client
200.76.208.65#9291: update denied Oct 24 14:04:16 ns1 last 
message repeated
2 times Oct 24 14:04:53 ns1 named[799]: client 
200.76.208.65#9298: update
denied Oct 24 14:04:16 ns1 last message repeated 2 times Oct 24 
14:04:53 ns1
named[799]: client 200.76.208.65#9298: update denied Oct 24 14:05:08 ns1
last message repeated 2 times Oct 24 14:05:45 ns1 named[799]: client
200.76.208.65#9305: update denied Oct 24 14:05:08 ns1 last 
message repeated
2 times Oct 24 14:05:45 ns1 named[799]: client 
200.76.208.65#9305: update
denied Oct 24 14:06:00 ns1 last message repeated 2 times Oct 24 
14:06:38 ns1
named[799]: client 200.76.208.65#9312: update denied Oct 24 14:06:00 ns1
last message repeated 2 times Oct 24 14:06:38 ns1 named[799]: client
200.76.208.65#9312: update denied Oct 24 14:06:53 ns1 last 
message repeated
2 times Oct 24 14:07:30 ns1 named[799]: client 
200.76.208.65#9320: update
denied Oct 24 14:06:53 ns1 last message repeated 2 times Oct 24 
14:07:30 ns1
named[799]: client 200.76.208.65#9320: update denied Oct 24 14:07:35 ns1
named[799]: client 200.76.208.65#9320: update denied Oct 24 14:07:39 ns1
named[799]: dynamic update failed: 'RRset exists (value dependent)'
prerequisite not satisfied (NXRRSET) Oct 24 14:07:44 ns1 
named[799]: dynamic
update failed: 'RRset exists (value dependent)' prerequisite 
not satisfied
(NXRRSET) Oct 24 14:07:45 ns1 named[799]: client 
200.76.208.65#9320: update
denied Oct 24 14:07:54 ns1 named[799]: dynamic update failed: 
'RRset exists
(value dependent)' prerequisite not satisfied (NXRRSET) Oct 24 
14:08:22 ns1
named[799]: client 200.76.208.65#9333: update denied Oct 24 14:07:45 ns1
last message repeated 2 times Oct 24 14:08:22 ns1 named[799]: client
200.76.208.65#9333: update denied Oct 24 14:08:37 ns1 last 
message repeated
2 times

These two machines 200.76.208.65\70 do not belong to me and are not
affiliated with me in any way. I have black-holed the IP 
addresses but still
it persists. Any ideas?
 
Either somebody is pretending to have a Win2K machine on my 
domain, which is
trying to add it's Win2K records to my domain, or else they are 
malicious
bombarding me.
 
Any help would be greatly appreciated.

Sam Pointer [Network, Security & UNIX]
_________________________________________
HPD Software Ltd. (www.hpdsoftware.com) sam.pointer at hpdsoftware.com 
 


This email and any attachments are strictly confidential and 
are intended
solely for the addressee. If you are not the intended recipient 
you must not
disclose, forward, copy or take any action in reliance on this 
message or
its attachments. If you have received this email in error 
please notify the
sender as soon as possible and delete it from your computer systems. Any
views or opinions presented are solely those of the author and do not
necessarily reflect those of HPD Software Limited or its affiliates.

 At present the integrity of email across the internet cannot 
be guaranteed
and messages sent via this medium are potentially at risk.  All 
liability is
excluded to the extent permitted by law for any claims arising 
as a re- sult
of the use of this medium to transmit information by or to 
HPD Software Limited or its affiliates.





This email and any attachments are strictly confidential and are intended
solely for the addressee. If you are not the intended recipient you must
not disclose, forward, copy or take any action in reliance on this message
or its attachments. If you have received this email in error please notify
the sender as soon as possible and delete it from your computer systems.
Any views or opinions presented are solely those of the author and do not
necessarily reflect those of HPD Software Limited or its affiliates.

 At present the integrity of email across the internet cannot be guaranteed
and messages sent via this medium are potentially at risk.  All liability
is excluded to the extent permitted by law for any claims arising as a re-
sult of the use of this medium to transmit information by or to 
HPD Software Limited or its affiliates.

More information about the bind-users mailing list