On Wed, 2008-07-30 at 13:08 -0400, Jeff Lightner wrote: > Someone had apparently posted on a Fedora forum that seeing the high > level of query cache denied was a sign of people trying the exploit but > someone else here said it wasn't a symptom of the exploit.
That's not *quite* correct (well, not even correct actually, but that sounds churlish). I said that the addresses listed in the post on the fedora-users list were actually directly related to research work being done by Dan Kaminsky and/or some people at a .edu connected to him. The OP of the message fired off in a panic, IMO, without doing any homework whatsoever. > However, on returning to my office I too saw a dramatic increase in the > number of these. If they aren't for the exploit does someone know why > they increased? If you've seen a dramatic increase in log entries, have you done any work at all to see where they're coming from? Pound to a penny, if you find they're from an educational institution you'll be able to fire off an email to someone there (look in WHOIS for the contact details for starters) and they'll tell you. If they're from Nigeria, Chinese ISPs, Russia, or a bunch of colo/hosting places in the US or Europe (or other common malware sources, yours will differ from mine) then they're probably scans from less friendly types. There's an interesting message on the OARCI dnsops list here: http://lists.oarci.net/pipermail/dns-operations/2008-July/003110.html [note: the sender of that message is the originator of query-cache scans from Georgia Tech IP IPv4 space] I guess the important message here is: do some homework first. They may or may not be malicious, but having an indication either way is good before you run into the woods with your shotgun. Graeme
