Infinite-Monkeys got crazy?

Jens Ahlin jah at CALEOTECH.COM
Mon Mar 15 10:07:11 GMT 2004


Hi,

I got timeouts against Infinite-Monkeys and found that named reported the
following errors:
named[917]: socket.c:1100: unexpected error:
named[917]: internal_send: 244.254.254.254#53: Invalid argument

After some googling I found this on a Security Focus mailling list:


        Jens

<From Security Focus archive>
http://www.securityfocus.com/archive/105/354179/2004-02-13/2004-02-19/0
I had this to and got help off the bind mailing list, here is the responce:

Just an addition: I've seen the same errors on our servers and I =
wondered where these request come from. Upon stracing 'named' I found =
out that it spits out these warnings when trying to look up anything =
from 'relays.monkeys.com', a now defunct DNS based black list.

Evidently they tried to blackhole all dnsbl queries to their db to make =
people stop using their defunct service:

------
# dig @66.60.159.24 relays.monkeys.com NS              =20

relays.monkeys.com.     86400   IN      NS      =
bogus-maximus.monkeys.com.

;; ADDITIONAL SECTION:
bogus-maximus.monkeys.com. 86400 IN     A       244.254.254.254
------

They changed the NS record to this bogus IP recently, that's why people =
start seeing these errors.

Of cource, as Mark pointed out, the right solutions is to filter =
240.0.0.0/4 entirely. If you cannot filter for some reason then you =
still could add "relays.monkeys.com" as a primary zone with no data =
(except SOA + NS) in it and your problems are gone


> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: den 15 mars 2004 10:58
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Infinite-Monkeys got crazy?
>
>
> This is the 3rd report of this I have seen this morning, having not heard
> of anything like this for months. Looks like someone is doing a DoS attack
> by getting everyone's servers listed in Infinite-Monkeys.
>
> Any similar reports of this from anyone else?
>
> At 09:34 15/03/2004, you wrote:
> >Hi list,
> >
> >an hour ago every mail (sent from localnet) that would go through my
> >SA+Postfix+MS
> >configuration was marked as spam - anyone else experienced this?
> >
> >--
> >Nejc Skoberne
> >Grajska 5
> >SI-5220 Tolmin
> >E-mail: nejc.skoberne at guest.arnes.si
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>



More information about the MailScanner mailing list