DNS Exploit Attempts??

Jeff Lightner jlightner at water.com
Thu Jul 31 15:30:11 UTC 2008 

I'd think that wouldn't help much.  

If your cache had been poisoned using the new exploit it meant someone
had already found your server was susceptible to the exploit and would
likely be responding to all your queries from that point on.   Even
turning off cache wouldn't likely help because all your fresh lookups
would be answered by the bad guy.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Sten Carlsen
Sent: Wednesday, July 30, 2008 9:08 PM
To: bind-users at isc.org
Subject: Re: DNS Exploit Attempts??

BTW: if you suspect your cache has been poisoned, would more than just 
flushing the cache be needed to remove the badness? Other than the 
obvious: upgrade to a safe version and disable recursing for that
audience.

Jeff Lightner wrote:
> Yep.  
>  
>
> Recursion and cache query are both prohibited from outside - that was
> actually done before the exploit patch because they'd been flagged in
a
> PCI compliance scan.
>
>  
>
> ________________________________
>
> From: Dawn Connelly [mailto:dawn.connelly at gmail.com] 
> Sent: Wednesday, July 30, 2008 4:59 PM
> To: Jeff Lightner
> Cc: Graeme Fowler; bind-users at isc.org
> Subject: Re: DNS Exploit Attempts??
>
>  
>
> No worries. This particular "attack" isn't new...it's probably just
> being used a lot more. It's testing for low hanging fruit to target.
If
> your recursion is open to the world,  it will be  wicked easy to
poison
> your cache... moral of the story- patching is great, but make sure
your
> recursion ACLs are in place too. 
>
> On Wed, Jul 30, 2008 at 1:16 PM, Jeff Lightner <jlightner at water.com>
> wrote:
>
> The point in my post was asking if there was a known thing that
occurred
> that would have suddenly have spawned more of these kinds of queries
> than in the past given that various people are seeing them.
>
> Obviously I could research individual addresses - but my question
wasn't
> how to research them but rather if there was a known badness that had
> suddenly started spawning more of them given that I was seeing them as
> others also apparently were.
>
> To that end Dawn's post more closely attempted to answer that than
> Graeme's.
>
> I have by the way already created a blacklist.   Again I was just
> wondering if there was something new and exciting happening.
>
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
>
> Behalf Of Dawn Connelly
> Sent: Wednesday, July 30, 2008 4:01 PM
> To: Graeme Fowler
> Cc: bind-users at isc.org
> Subject: Re: DNS Exploit Attempts??
>
> True that...but this is most likely the script that was causing the
> badness
> he was seeing:
> http://www.opennet.ru/dev/fsbackup/src/1.2pl1_to_1.2pl2.diff
> It was written by the same guy that owns the IP address space that he
> was
> seeing the . requests coming from. It should still be blacklisted.
>
> On Wed, Jul 30, 2008 at 12:46 PM, Graeme Fowler <graeme at graemef.net>
> wrote:
>
>   
>> On Wed, 2008-07-30 at 13:08 -0400, Jeff Lightner wrote:
>>     
>>> Someone had apparently posted on a Fedora forum that seeing the high
>>> level of query cache denied was a sign of people trying the exploit
>>>       
> but
>   
>>> someone else here said it wasn't a symptom of the exploit.
>>>       
>> That's not *quite* correct (well, not even correct actually, but that
>> sounds churlish).
>>
>> I said that the addresses listed in the post on the fedora-users list
>> were actually directly related to research work being done by Dan
>> Kaminsky and/or some people at a .edu connected to him.
>>
>> The OP of the message fired off in a panic, IMO, without doing any
>> homework whatsoever.
>>
>>     
>>> However, on returning to my office I too saw a dramatic increase in
>>>       
> the
>   
>>> number of these.   If they aren't for the exploit does someone know
>>>       
> why
>   
>>> they increased?
>>>       
>> If you've seen a dramatic increase in log entries, have you done any
>> work at all to see where they're coming from? Pound to a penny, if
you
>> find they're from an educational institution you'll be able to fire
>>     
> off
>   
>> an email to someone there (look in WHOIS for the contact details for
>> starters) and they'll tell you. If they're from Nigeria, Chinese
ISPs,
>> Russia, or a bunch of colo/hosting places in the US or Europe (or
>>     
> other
>   
>> common malware sources, yours will differ from mine) then they're
>> probably scans from less friendly types.
>>
>> There's an interesting message on the OARCI dnsops list here:
>>
>> http://lists.oarci.net/pipermail/dns-operations/2008-July/003110.html
>>
>> [note: the sender of that message is the originator of query-cache
>>     
> scans
>   
>> from Georgia Tech IP IPv4 space]
>>
>> I guess the important message here is: do some homework first. They
>>     
> may
>   
>> or may not be malicious, but having an indication either way is good
>> before you run into the woods with your shotgun.
>>
>> Graeme
>>
>>
>>
>>     
>
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
> confidential information and is for the sole use of the intended
> recipient(s). If you are not the intended recipient, any disclosure,
> copying, distribution, or use of the contents of this information is
> prohibited and may be unlawful. If you have received this electronic
> transmission in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank you.
> ----------------------------------
>
>  
>
>
>
>   

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!"

More information about the bind-users mailing list