[nsp-sec] DNS poisoning activity in the wild

[Leo Bicknell]

In a message written on Wed, Jul 30, 2008 at 05:06:19PM +0200, Florian Weimer wrote:
> Could you provide a PTR record without any magic activity for the main
> scanning host?  The current setup is very close to reaching a DNS
> timeout (and hence SERVFAIL in the response to the client).

In a message written on Wed, Jul 30, 2008 at 11:11:22AM -0400, Ross, Jason wrote:
> Leo, is it OK to pass on sanitized bits of this note to DNS Ops?
> They maintain some firewall rules on the hosts apart from our router
> ACL's, so I'd like to just let them know "Hey, if you see traffic
> from this block, leave it alone or contact this address, it's ISC
> and they're doing research" if that'd be permissible.

Generally we set aside small netblocks (e.g. a /28) for scanners
so they can have multiple IP's and good rDNS for the task at hand.
For instance, an IP for the scanner started last night:

% dig +short -x 149.20.56.10
10.56-28.20.149.in-addr.arpa.
dan-kaminsky.scanning.browse-http-on-this-site.doxdns5.com.

And one of our standard OARC survey boxes:

% dig +short -x 149.20.52.130
network-scanner-130-for-more-info-see.public.dns-oarc.net.

Unfortunately doxdns5.com seem to be having issues this morning,
doxpara.com is the same folks.  I'm poking people about that not
working.

So, while I have no particular problem with you guys letting your
security folks know ISC is hosting some white hat scanners I might
encourage the more generic solution of make sure they look at rDNS,
legitimate scanners go out of their way to explain their actions.
:)

-- 
Leo Bicknell; E-mail: Leo_Bicknell at isc.org, Phone: +1 650 423 1358
INOC*DBA *3357*592; Internet Systems Consortium, Inc.  www.isc.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080730/f82069c4/attachment-0001.sig>