On Wed, 2008-07-30 at 13:08 -0400, Jeff Lightner wrote:
> Someone had apparently posted on a Fedora forum that seeing the high
> level of query cache denied was a sign of people trying the exploit but
> someone else here said it wasn't a symptom of the exploit.

That's not *quite* correct (well, not even correct actually, but that
sounds churlish).

I said that the addresses listed in the post on the fedora-users list
were actually directly related to research work being done by Dan
Kaminsky and/or some people at a .edu connected to him.

The OP of the message fired off in a panic, IMO, without doing any
homework whatsoever.

> However, on returning to my office I too saw a dramatic increase in the
> number of these. If they aren't for the exploit does someone know why
> they increased?

If you've seen a dramatic increase in log entries, have you done any
work at all to see where they're coming from? Pound to a penny, if you
find they're from an educational institution you'll be able to fire off
an email to someone there (look in WHOIS for the contact details for
starters) and they'll tell you. If they're from Nigeria, Chinese ISPs,
Russia, or a bunch of colo/hosting places in the US or Europe (or other
common malware sources, yours will differ from mine) then they're
probably scans from less friendly types.

There's an interesting message on the OARCI dnsops list here:


[note: the sender of that message is the originator of query-cache scans
from Georgia Tech IP IPv4 space]

I guess the important message here is: do some homework first. They may
or may not be malicious, but having an indication either way is good
before you run into the woods with your shotgun.