Need to verify an assumption to make sure I haven't been hacked
Mark Andrews
Mark_Andrews at isc.org
Tue Jun 5 22:18:20 UTC 2007
> This is probably completely self evident, but I want to be sure. We
> have to internal name servers which unfortunately, until a couple of
> days ago were externally exposed. Together they make up a high
> availability cluster and now only the cluster IP is exposed and properly
> locked down. We are being hit with a huge flood of dynamic updates from
> the internet which are being refused because we don't do any dynamic
> updating. The requests come in via UDP and our network manager is
> concerned because she sees lots of UDP packets (contents unknown) coming
> from the name server as well and going back out through the firewall to
> the internet. My assumption is that's simply a message back saying that
> the dynamic update was refused and would be normal under the
> circumstances. Is that assumption correct?
> BTW, this flood of dynamic updates is coming from hundreds of different
> addresses and I suspect it's a BOT infecting machines as it goes.
>
>
> Thanks,
> Rob
>
>
> --
> Rob Tanner
> UNIX Services Manager
> Linfield College, McMinnville OR
Anything anyone says here other than get a packet sniffer
out and look at the contents on the packets will be pure
speculation.
Yes, named's default is to refuse all UPDATE requests.
Note: pre-requisites are processed *before* access control
so there may be other rcodes than REFUSED. You should
however not see No Error to a UPDATE request.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list