ZONE TRANSFER ATTEMPT MITIGATION

1. Mitigation of the attack

   Add the access list at the top of the /etc/bind/named.conf.options -
   remember, X is your TLD group number

	NS1-TLDX> sudo pico /etc/bind/named.conf.options

// BEGIN add
acl transfer-ok { 192.168.10X.0/24; }; // only allow AXFR from my subnet X
// END add

Then find the "options" block, and in it add the line with allow-transfer and "allow-transfer".

options {
   // ...
   // BEGIN add
   allow-transfer { localhost; transfer-ok; };
   // END add
   // ...
};

   Restart your bind server:
	
	NS1-TLDX> sudo /etc/init.d/bind9 restart



2. Swatch rules for reacting to zone transfer attempts

   Edit /etc/swatch.conf
	
	NOC-TLDX> sudo pico /etc/swatch.conf

   And add:

# Denied AXFRs
watchfor /client ([0-9.:]+)\D\d+: zone transfer '(.*)\/.XFR\/IN' denied$/
        mail=monitoring,subject=Denied AXFR for zone '$2' from $1
        throttle threshold=3,delay=0:1:0,key=$1
        threshold track_by=$1, type=limit, count=10, seconds=600

   ** Remember, don't try to type this in, copy and paste it!

   Then restart swatch:
	NOC-TLDX> ps ax | grep swatch

   Find the PID of the swatch process and kill it

	NOC-TLDX> sudo kill -9 xxxx 
	where xxxx is the PID of the swatch process

   Run SWATCH

	NOC-TLDX> sudo swatch -c /etc/swatch.conf --tail-file=/var/log/everything --daemon

   Wait for Dr. Evil to re-run his attacks

   Now check your mail
	
	NOC-TLDX> mutt

   You should see a message about a denied zone transfer attempt

   What happens if you run a zone transfer from your NOC box ?

	NOC-TLDX> dig @192.168.10X.10 axfr tldX.
	Note: remember to replace X with your group number!