Anyone else seeing these?
13 views
Skip to first unread message
Karl Schmidt
Apr 20, 2009, 2:58:08 PM4/20/09
to kul...@googlegroups.com
Apr 20 12:44:28 kiwi named[23031]: dispatch 0x6c54c0: shutting down due to TCP receive error:
216.69.185.17#53: connection reset
216.69.185.17#53: connection reset
Started showing up in the log - my hunch is there is a new attack looking to exploit Bind.
--------------------------------------------------------------------------------
Karl Schmidt EMail Ka...@xtronics.com
Transtronics, Inc. WEB http://xtronics.com
3209 West 9th Street Ph (785) 841-3089
Lawrence, KS 66049 FAX (785) 841-0434
Don't go around saying the world owes you a living.
The world owes you nothing. It was here first. -- Mark Twain
--------------------------------------------------------------------------------
gladi...@gmail.com
Apr 20, 2009, 4:32:09 PM4/20/09
to kulua-l
Hrm...
A quick google search on the primary terms in the error message
indicate a general consensus that these message are due to broken
domain server Out On The Internet. Another explanation is that a
firewall in front of the name server is trying to be a little too
tricky. If you're getting these often enough, scrape your network
traffic and have a look at the packets that are causing the problem.
It looks to me, though, that you're seeing what is described here:
http://isc.sans.org/diary.html?storyid=1538&isc=90f7e0cf745ef88d67ec
If you're extremely concerned, just block TCP/53 from anything that's
not an off-site slave.
-Stephen
On Apr 20, 1:58 pm, Karl Schmidt <k...@xtronics.com> wrote:
> Apr 20 12:44:28 kiwi named[23031]: dispatch 0x6c54c0: shutting down due to TCP receive error:
> 216.69.185.17#53: connection reset
>
> Started showing up in the log - my hunch is there is a new attack looking to exploit Bind.
>
> --------------------------------------------------------------------------------
> Karl Schmidt EMail K...@xtronics.com
> Transtronics, Inc. WEBhttp://xtronics.com
A quick google search on the primary terms in the error message
indicate a general consensus that these message are due to broken
domain server Out On The Internet. Another explanation is that a
firewall in front of the name server is trying to be a little too
tricky. If you're getting these often enough, scrape your network
traffic and have a look at the packets that are causing the problem.
It looks to me, though, that you're seeing what is described here:
http://isc.sans.org/diary.html?storyid=1538&isc=90f7e0cf745ef88d67ec
If you're extremely concerned, just block TCP/53 from anything that's
not an off-site slave.
-Stephen
On Apr 20, 1:58 pm, Karl Schmidt <k...@xtronics.com> wrote:
> Apr 20 12:44:28 kiwi named[23031]: dispatch 0x6c54c0: shutting down due to TCP receive error:
> 216.69.185.17#53: connection reset
>
> Started showing up in the log - my hunch is there is a new attack looking to exploit Bind.
>
> --------------------------------------------------------------------------------
> Transtronics, Inc. WEBhttp://xtronics.com
Reply all
Reply to author
Forward
0 new messages