On February 03, 2009, Cole Tuininga sent me the following: > On Tue, 2009-02-03 at 00:11 -0500, Ben Scott wrote: > > client 192.0.2.42 query (cache) > > 'aaccmmaaaafwx0000dlaaabaaafbbfpg/NS/IN' denied: 1 Time(s) > > client 192.0.2.42 query (cache) > > 'abbcneaaaafwx0000dlaaabaaafbkkag/NS/IN' denied: 1 Time(s) > > client 192.0.2.42 query (cache) > > 'acdbbbaaaafwx0000dlaaabaaafbpkeo/NS/IN' denied: 1 Time(s) > > I'd guess they were either trying to do a "quick Kaminsky scan" or (less > likely) looking for an open resolver. Just my $.02.
Could be cache-probing as well. Older BINDs didn't link the allow- recursion and allow-query-cache settings, so very often people would disallow recursive queries but still allow queries to be answered from cache. Not sure how useful it is to know what people have been looking up, but I assume it could be used to aid in another attack. By the way, does anyone else find the new ISC site to be really annoying to navigate? Instead of nice lists for BIND version and documentation, they've embedded all the links inside paragraphs of text. -- Chip Marshall <c...@2bithacker.net> http://weblog.2bithacker.net/ KB1QYW PGP key ID 43C4819E v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM
signature.asc
Description: Digital signature
_______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/