BTW: if you suspect your cache has been poisoned, would more than just
flushing the cache be needed to remove the badness? Other than the
obvious: upgrade to a safe version and disable recursing for that audience.

Jeff Lightner wrote:
> Yep.
>
>
> Recursion and cache query are both prohibited from outside - that was
> actually done before the exploit patch because they'd been flagged in a
> PCI compliance scan.
>
>
>
> ________________________________
>
> From: Dawn Connelly [mailto:dawn.connelly@gmail.com]
> Sent: Wednesday, July 30, 2008 4:59 PM
> To: Jeff Lightner
> Cc: Graeme Fowler; bind-users@isc.org
> Subject: Re: DNS Exploit Attempts??
>
>
>
> No worries. This particular "attack" isn't new...it's probably just
> being used a lot more. It's testing for low hanging fruit to target. If
> your recursion is open to the world, it will be wicked easy to poison
> your cache... moral of the story- patching is great, but make sure your
> recursion ACLs are in place too.
>
> On Wed, Jul 30, 2008 at 1:16 PM, Jeff Lightner
> wrote:
>
> The point in my post was asking if there was a known thing that occurred
> that would have suddenly have spawned more of these kinds of queries
> than in the past given that various people are seeing them.
>
> Obviously I could research individual addresses - but my question wasn't
> how to research them but rather if there was a known badness that had
> suddenly started spawning more of them given that I was seeing them as
> others also apparently were.
>
> To that end Dawn's post more closely attempted to answer that than
> Graeme's.
>
> I have by the way already created a blacklist. Again I was just
> wondering if there was something new and exciting happening.
>
>
> -----Original Message-----
> From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
>
> Behalf Of Dawn Connelly
> Sent: Wednesday, July 30, 2008 4:01 PM
> To: Graeme Fowler
> Cc: bind-users@isc.org
> Subject: Re: DNS Exploit Attempts??
>
> True that...but this is most likely the script that was causing the
> badness
> he was seeing:
> http://www.opennet.ru/dev/fsbackup/s...to_1.2pl2.diff
> It was written by the same guy that owns the IP address space that he
> was
> seeing the . requests coming from. It should still be blacklisted.
>
> On Wed, Jul 30, 2008 at 12:46 PM, Graeme Fowler
> wrote:
>
>
>> On Wed, 2008-07-30 at 13:08 -0400, Jeff Lightner wrote:
>>
>>> Someone had apparently posted on a Fedora forum that seeing the high
>>> level of query cache denied was a sign of people trying the exploit
>>>

> but
>
>>> someone else here said it wasn't a symptom of the exploit.
>>>

>> That's not *quite* correct (well, not even correct actually, but that
>> sounds churlish).
>>
>> I said that the addresses listed in the post on the fedora-users list
>> were actually directly related to research work being done by Dan
>> Kaminsky and/or some people at a .edu connected to him.
>>
>> The OP of the message fired off in a panic, IMO, without doing any
>> homework whatsoever.
>>
>>
>>> However, on returning to my office I too saw a dramatic increase in
>>>

> the
>
>>> number of these. If they aren't for the exploit does someone know
>>>

> why
>
>>> they increased?
>>>

>> If you've seen a dramatic increase in log entries, have you done any
>> work at all to see where they're coming from? Pound to a penny, if you
>> find they're from an educational institution you'll be able to fire
>>

> off
>
>> an email to someone there (look in WHOIS for the contact details for
>> starters) and they'll tell you. If they're from Nigeria, Chinese ISPs,
>> Russia, or a bunch of colo/hosting places in the US or Europe (or
>>

> other
>
>> common malware sources, yours will differ from mine) then they're
>> probably scans from less friendly types.
>>
>> There's an interesting message on the OARCI dnsops list here:
>>
>> http://lists.oarci.net/pipermail/dns...ly/003110.html
>>
>> [note: the sender of that message is the originator of query-cache
>>

> scans
>
>> from Georgia Tech IP IPv4 space]
>>
>> I guess the important message here is: do some homework first. They
>>

> may
>
>> or may not be malicious, but having an indication either way is good
>> before you run into the woods with your shotgun.
>>
>> Graeme
>>
>>
>>
>>

>
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
> confidential information and is for the sole use of the intended
> recipient(s). If you are not the intended recipient, any disclosure,
> copying, distribution, or use of the contents of this information is
> prohibited and may be unlawful. If you have received this electronic
> transmission in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank you.
> ----------------------------------
>
>
>
>
>
>


--
Best regards

Sten Carlsen

No improvements come from shouting:

"MALE BOVINE MANURE!!!"