Date: Sun, 12 Jul 1998 17:27:45 +0200 From: sthaug@nethelp.no To: maillist@oaks.com.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: DNS zone xfers from random(?) sites Message-ID: <7453.900257265@verdi.nethelp.no> In-Reply-To: Your message of "Fri, 10 Jul 1998 21:59:07 %2B1000" References: <199807101158.VAA15030@mail.aussie.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Basically, what seems to be random sites around the world (e.g. Israel, > Singapore, France) are downloading the zone file, even where they are not > secondaries to this domain. I am not seeing this pattern on other domains > (one or two of them perhaps, but not so many in such a short time). I do > not recognise the sites that are requesting the transfers. > > While I could of course block them from doing this I am curious as to > whether or not anyone can offer up any suggestion as to _why_ this may be > happening, and if there is any legitimate explanation for it. The domain > in question is for a local (Melbourne, Australia) FM radio station (which > is not even broadcasting at the moment) and I can hardly see it having any > interest to people in, say, France or Singapore. We've seen attacks that were directly correlated to zones files being transferred. Fetch one zone file with a lot of delegations (12000 or so), and then (a few minutes later) target all the name servers in this zone file with pop3/imap/portmap/whatever attacks. Additionally, attempt to fetch the zone files for all the delegated zones also, presumably to use for another attack. (That's when we turned off zone transfers. Now only select hosts are allowed to perform zone transfers from our name servers.) I don't like turning off zone transfers - they are valuable when you're trying to diagnose network related problems. But with the amount of attacks we saw that were directly correlated with zone transfers, we didn't have much choice... Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7453.900257265>