Re: Unusual DNS requests (not related to previous DNS thread)
From: measl@mfn.orgDate: 01/18/02
- Previous message: Scott Fendley: "dtspcd probes toward Solaris machines"
- In reply to: Ryan Russell: "Re: Unusual DNS requests (not related to previous DNS thread)"
- Next in thread: Greg A. Woods: "Re: Unusual DNS requests (not related to previous DNS thread)"
- Next in thread: Greg A. Woods: "Re: Unusual DNS requests (not related to previous DNS thread)"
- Reply: Greg A. Woods: "Re: Unusual DNS requests (not related to previous DNS thread)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Jan 2002 20:22:52 -0600 (CST) From: <measl@mfn.org> To: Ryan Russell <ryan@securityfocus.com>
On Tue, 15 Jan 2002, Ryan Russell wrote:
> On Mon, 14 Jan 2002 measl@mfn.org wrote:
> > So far, so good. The request is for a PTR
> > record: 0.xxx.xxx.xx.in-addr.arpa. No, that's not a typo, they are
> > requesting reverse for the network address at .0.
>
> Don't get too worried about the 0. part... recall that these are in
> reverse order, so the guy is asking for a name for x.y.z.0.
Yes, I know - look up top :-)
> Or maybe
> that's what you were worried about. It's not common but, depending on
> subnet mask, .0 addresses aren't always reserved.
Sorry I failed to post the mask (/24). And I thoroughly realize that even as
a /24 this is not necessarily an "invalid" request, merely a
"strange" request for a machine not local to the subnet.
> > A packet capture shows
> > absolutely nothing out of the ordinary, other than the freaky request, and
> > the regularity of the requests, about one request every five seconds, round
> > the clock.
>
> So this begs the question... is this DNS server supposed to be serving
> in-addr.arpa records?
Why this question (yes, it serves up PTR)?
> I.e. is it reverse for some network addresss range?
> If so, is there a possibility that that network range is a smurf
> amplifier?
I briefly considered this very question, however, they are not using any gear
(only the older 4.3 BSD boxen really had a reputation for doing this,
right?) which responds to this address - I've personally been down this road
with them.
My final guess was (in order) (a) a misconfigured box somehow generating this
valid but nonsensical request (and the customer seeing the request on his
IDS); (b) some kind of discovery mechanism ala' Akamia, Quova, etc...
> Ryan
-- Yours, J.A. Terranson sysadmin@mfn.orgIf Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics.
The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Scott Fendley: "dtspcd probes toward Solaris machines"
- In reply to: Ryan Russell: "Re: Unusual DNS requests (not related to previous DNS thread)"
- Next in thread: Greg A. Woods: "Re: Unusual DNS requests (not related to previous DNS thread)"
- Next in thread: Greg A. Woods: "Re: Unusual DNS requests (not related to previous DNS thread)"
- Reply: Greg A. Woods: "Re: Unusual DNS requests (not related to previous DNS thread)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
