Hi,
Once a quarter, a sweep is run on the inverse tree of the DNS to determine
the accuracy of the delegations.
Full zones are collected (but not kept) in an effort to track the size of
the Internet as well as to ensure that
we collect all NS and SOA records. Interesting side effects are the
proximal measure of the penetration of
firewalls/RFC1918 usage/bind access controls.
I have tried to let
operations people know that this is occuring, but
apparently I am not reaching all interested parties.
Notification is sent to the operations lists
NANOG, APOPS, EOF, and IEPG, asking for operators who have recently
implemented BINDs access controls to add the two collecter nodes
to their filters.
Are there ways to provide advance notification about such audit
runs that will encourage better participation?
So... this is a heads up that you will be seeing zone transfers
being generated by a couple of collecter machines. For those of
you who utilize BINDs access controls, I'd appreciate your inclusion of
the collector machines in allowed transfers. The expectation
is that they will be the following IP addresses:
128.9.160.57 and 198.32.4.13
If there are any questions or concerns, I'd be happy to talk
about them. Past data has been presented at IEPG, Apricot and RIPE
meetings. The expectation is that future data will be presented in
the same and similar forums.
More stuff that has been asked for:
- zone transfer acceptance (refusal) rates
This activity has been confused with the basic attack model
for "mscan". Be assured that this is not an "mscan" precursor.
The following description on "mscan" is from CERT Summary CS-98.07
............
It is nothing new for intruders to launch widespread scans to
locate vulnerable machines. However, a new, publicly released
intruder tool called "mscan" scans networks for many different
vulnerabilities. The CERT/CC has received numerous reports
indicating that this tool is in widespread use within the
intruder community.
We encourage you to review CERT Incident Note IN-98.02, which
describes mscan and its recognizable signature in more
detail. (A description of incident notes appears in a later
section, New CERT Security Documents.) This incident note is
available at
http://www.cert.org/incident_notes/IN-98.02.html
The tool uses DNS zone transfers and systematic scanning of IP
addresses, either alone or in combination, to locate
machines. Once machines are located, they are tested for a
number of vulnerabilities.
Additional useful information about mscan can be found at
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-98.01.mscan
courtesy of the Australian Computer Emergency Response Team
(AUSCERT).
Also from the CERT:
3. Multiple Vulnerabilities in BIND
In two previous special edition CERT Summaries, CS-98.04 and
CS-98.05, we discussed several attack methods being used to
exploit vulnerabilities in BIND. CS-98.04 and CS-98.05 are
available from
http://www.cert.org/summaries/CS-98.04.html
http://www.cert.org/summaries/CS-98.05.html
Intruders are still exploiting vulnerabilities described in
CERT Advisory CA-98.05. We encourage you to review CERT
Advisory CA-98.05, which describes the BIND buffer overflow
vulnerability, and to apply the appropriate patches if you have
not done so already. This advisory is available from
http://www.cert.org/advisories/CA-98.05.bind_problems.html
ftp://ftp.cert.org/pub/cert_advisories/CA-98.05.bind_problems
If you find you have been root compromised, this document
suggests appropriate steps to take in response:
http://www.cert.org/tech_tips/root_compromise.html
ftp://ftp.cert.org/pub/tech_tips/root_compromise
AUDIT SUMMARY DATA
DNS S/W VERSION DISTRIBUTION SUMMARY
