[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Lame Server messages
- Subject: RE: [cobalt-security] Lame Server messages
- From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
- Date: Fri, 31 Aug 2001 18:08:45 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Terrance wrote:
> I'd just like to point out that my query was not about lame
> server messages in general, but about specific instances of
> peculiarly high traffic - 1000 lame server messages in a 1
> hour period.
<snip>
> each night in the same time slot and some if not many of the
> ip's are .kr.
Bet you a dollar you're being scanned, or someone's trying to use your
machine as a relay.
If some nasty person comes along and connects repeatedly to service ports on
your machine, most of the services will attempt to do a reverse lookup. If
they try that, and find lame delegations, they'll get logged.
I could hit you with 1000 spoofed IP address SYN probes in less than a
second, never mind an hour. And if all those spoofed IPs are actually real
ones, your reverse lookups are gonna start finding all the lame servers that
go with them (if there are any).
I'd start examining your other logfiles for connection attempts - especially
as you've already said you're running portsentry and IPChains.
> I searched the posts in this and other lists before I put my
> original post up and found nothing similar to what I'm seeing here.
> I'd like to think that any good admin in this list seeing a 1000
> new error messages in their logs would (again) question the security
Spot on :) but it depends on how many messages you normally see... I have
nameservers with almost 150000 domains on them, so we see a lot of warnings!
Graeme
--
Graeme Fowler
System Administrator
Host Europe Group PLC