BTW: if you suspect your cache has been poisoned, would more than just flushing the cache be needed to remove the badness? Other than the obvious: upgrade to a safe version and disable recursing for that audience.
Jeff Lightner wrote: > Yep. > > > Recursion and cache query are both prohibited from outside - that was > actually done before the exploit patch because they'd been flagged in a > PCI compliance scan. > > > > ________________________________ > > From: Dawn Connelly [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 30, 2008 4:59 PM > To: Jeff Lightner > Cc: Graeme Fowler; [email protected] > Subject: Re: DNS Exploit Attempts?? > > > > No worries. This particular "attack" isn't new...it's probably just > being used a lot more. It's testing for low hanging fruit to target. If > your recursion is open to the world, it will be wicked easy to poison > your cache... moral of the story- patching is great, but make sure your > recursion ACLs are in place too. > > On Wed, Jul 30, 2008 at 1:16 PM, Jeff Lightner <[EMAIL PROTECTED]> > wrote: > > The point in my post was asking if there was a known thing that occurred > that would have suddenly have spawned more of these kinds of queries > than in the past given that various people are seeing them. > > Obviously I could research individual addresses - but my question wasn't > how to research them but rather if there was a known badness that had > suddenly started spawning more of them given that I was seeing them as > others also apparently were. > > To that end Dawn's post more closely attempted to answer that than > Graeme's. > > I have by the way already created a blacklist. Again I was just > wondering if there was something new and exciting happening. > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Dawn Connelly > Sent: Wednesday, July 30, 2008 4:01 PM > To: Graeme Fowler > Cc: [email protected] > Subject: Re: DNS Exploit Attempts?? > > True that...but this is most likely the script that was causing the > badness > he was seeing: > http://www.opennet.ru/dev/fsbackup/src/1.2pl1_to_1.2pl2.diff > It was written by the same guy that owns the IP address space that he > was > seeing the . requests coming from. It should still be blacklisted. > > On Wed, Jul 30, 2008 at 12:46 PM, Graeme Fowler <[EMAIL PROTECTED]> > wrote: > > >> On Wed, 2008-07-30 at 13:08 -0400, Jeff Lightner wrote: >> >>> Someone had apparently posted on a Fedora forum that seeing the high >>> level of query cache denied was a sign of people trying the exploit >>> > but > >>> someone else here said it wasn't a symptom of the exploit. >>> >> That's not *quite* correct (well, not even correct actually, but that >> sounds churlish). >> >> I said that the addresses listed in the post on the fedora-users list >> were actually directly related to research work being done by Dan >> Kaminsky and/or some people at a .edu connected to him. >> >> The OP of the message fired off in a panic, IMO, without doing any >> homework whatsoever. >> >> >>> However, on returning to my office I too saw a dramatic increase in >>> > the > >>> number of these. If they aren't for the exploit does someone know >>> > why > >>> they increased? >>> >> If you've seen a dramatic increase in log entries, have you done any >> work at all to see where they're coming from? Pound to a penny, if you >> find they're from an educational institution you'll be able to fire >> > off > >> an email to someone there (look in WHOIS for the contact details for >> starters) and they'll tell you. If they're from Nigeria, Chinese ISPs, >> Russia, or a bunch of colo/hosting places in the US or Europe (or >> > other > >> common malware sources, yours will differ from mine) then they're >> probably scans from less friendly types. >> >> There's an interesting message on the OARCI dnsops list here: >> >> http://lists.oarci.net/pipermail/dns-operations/2008-July/003110.html >> >> [note: the sender of that message is the originator of query-cache >> > scans > >> from Georgia Tech IP IPv4 space] >> >> I guess the important message here is: do some homework first. They >> > may > >> or may not be malicious, but having an indication either way is good >> before you run into the woods with your shotgun. >> >> Graeme >> >> >> >> > > ---------------------------------- > CONFIDENTIALITY NOTICE: This e-mail may contain privileged or > confidential information and is for the sole use of the intended > recipient(s). If you are not the intended recipient, any disclosure, > copying, distribution, or use of the contents of this information is > prohibited and may be unlawful. If you have received this electronic > transmission in error, please reply immediately to the sender that you > have received the message in error, and delete it. Thank you. > ---------------------------------- > > > > > > -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!"
