Need to verify an assumption to make sure I haven't been hacked
Kevin Darcy
kcd at daimlerchrysler.com
Tue Jun 5 21:55:27 UTC 2007
Rob Tanner wrote:
> This is probably completely self evident, but I want to be sure. We
> have to internal name servers which unfortunately, until a couple of
> days ago were externally exposed. Together they make up a high
> availability cluster and now only the cluster IP is exposed and properly
> locked down. We are being hit with a huge flood of dynamic updates from
> the internet which are being refused because we don't do any dynamic
> updating. The requests come in via UDP and our network manager is
> concerned because she sees lots of UDP packets (contents unknown) coming
> from the name server as well and going back out through the firewall to
> the internet. My assumption is that's simply a message back saying that
> the dynamic update was refused and would be normal under the
> circumstances. Is that assumption correct?
>
As assumptions go, probably correct. But why are you all ASSUMING?
Doesn't your network manager have a sniffer? Take a look at the traffic
and see what it is. That might help you sleep better at night.
> BTW, this flood of dynamic updates is coming from hundreds of different
> addresses and I suspect it's a BOT infecting machines as it goes.
>
I think it's more likely to be Wintel boxes with "register my IP address
automatically" enabled and your domain configured as their "home" domain
(for whatever reason). I see this all of the time.
- Kevin
More information about the bind-users
mailing list