Hi, Once a quarter, a sweep is run on the inverse tree of the DNS to determine the accuracy of the delegations. Full zones are collected (but not kept) in an effort to track the size of the Internet as well as to ensure that we collect all NS and SOA records. Interesting side effects are the proximal measure of the penetration of firewalls/RFC1918 usage/bind access controls.

I have tried to let operations people know that this is occuring, but apparently I am not reaching all interested parties. Notification is sent to the operations lists NANOG, APOPS, EOF, and IEPG, asking for operators who have recently implemented BINDs access controls to add the two collecter nodes to their filters. Are there ways to provide advance notification about such audit runs that will encourage better participation?

So... this is a heads up that you will be seeing zone transfers being generated by a couple of collecter machines. For those of you who utilize BINDs access controls, I'd appreciate your inclusion of the collector machines in allowed transfers. The expectation is that they will be the following IP addresses: and

If there are any questions or concerns, I'd be happy to talk about them. Past data has been presented at IEPG, Apricot and RIPE meetings. The expectation is that future data will be presented in the same and similar forums.

More stuff that has been asked for: - zone transfer acceptance (refusal) rates

This activity has been confused with the basic attack model for "mscan". Be assured that this is not an "mscan" precursor. The following description on "mscan" is from CERT Summary CS-98.07 ............

It is nothing new for intruders to launch widespread scans to locate vulnerable machines. However, a new, publicly released intruder tool called "mscan" scans networks for many different vulnerabilities. The CERT/CC has received numerous reports indicating that this tool is in widespread use within the intruder community.

We encourage you to review CERT Incident Note IN-98.02, which describes mscan and its recognizable signature in more detail. (A description of incident notes appears in a later section, New CERT Security Documents.) This incident note is available at


The tool uses DNS zone transfers and systematic scanning of IP addresses, either alone or in combination, to locate machines. Once machines are located, they are tested for a number of vulnerabilities.

Additional useful information about mscan can be found at


courtesy of the Australian Computer Emergency Response Team (AUSCERT).

Also from the CERT:

3. Multiple Vulnerabilities in BIND

In two previous special edition CERT Summaries, CS-98.04 and CS-98.05, we discussed several attack methods being used to exploit vulnerabilities in BIND. CS-98.04 and CS-98.05 are available from



Intruders are still exploiting vulnerabilities described in CERT Advisory CA-98.05. We encourage you to review CERT Advisory CA-98.05, which describes the BIND buffer overflow vulnerability, and to apply the appropriate patches if you have not done so already. This advisory is available from

http://www.cert.org/advisories/CA-98.05.bind_problems.html ftp://ftp.cert.org/pub/cert_advisories/CA-98.05.bind_problems

If you find you have been root compromised, this document suggests appropriate steps to take in response:

http://www.cert.org/tech_tips/root_compromise.html ftp://ftp.cert.org/pub/tech_tips/root_compromise



1998/08/30 Bill Manning <bmanning@isi.edu>