Security Incidents mailing list archives
Re: Scans... (was Re: 3 Solaris reboot in 3 days)
From: Pierre Vandevenne <pierre () datarescue com>
Date: Wed, 2 Aug 2000 02:36:26 +0200
On Wed, 2 Aug 2000 02:43:20 +0300 (IDT), mixter () 2xs co il wrote:
Also, a non-intrusive querying for bind versions, to get a better perspective of security by gathering demographic data of the used bind versions (with bind being arguably the most often exploited service recently).
Precisely. If you see it from the "scannee" point of view, how does he distinguish that from a "recon" operation by a script kiddie preparing a bind exploit ?
After our scan of some 16.581.375 addresses for just this information, all that we have received were 3 requests to explain our activity, which we promptly did.
Well, kind of... :-) Anyway, will the data you gathered from the survey made public ? What you found should be statistically interesting.
I noticed you mention BlackICE on Windows 98. From my experience, it is a very sensitive type of IDS, that can create extensive log entries, for example "DNS port probe" for just receiving an udp/53 packet, and "BIND version request" additionally to the first notice. That might be why you originally considered this incident more than a simple version query.
In fact, the cisco log was what grabbed my attention first, then BlackIce, then two other logging / protection mechanisms we have in place on our network and which I shall not describe publically <G>. Anyway I consider that a version query on our DNS software is an agressive behaviour - that's why I brought the matter here btw - I'd like to know how other people feel about that. Is there really any legitimate reason to scan a full class C for BIND versions ? You were scanning for vulnerabilities, with a white hat - but how can the target of a scan tell the colour of the scanner's hat ? Noticing that the attack came from a company raised my level of alarm btw - I suspected you had more resources than the average script kiddie and therefore represented a greater danger. Heuristics, you have no choice but to apply some in life... Another point : I have no choice but to loose _some_ time evaluating your scan when I notice it. As a busy person I'd rather avoid that. OTOH, surveys are useful - no doubt about that. As far as BlackIce is concerned, yes I tend to agree with you, it is way too sensitive for the casual user, even in cautious mode - that is why we only use it on one WS, as a kind of watchdog. But it still remains a great, generally reliable, useful tool and the support was top notch when I contacted them about early versions. Kind Regards Pierre --- Pierre Vandevenne - DataRescue sa/nv Home of the IDA Pro Disassembler http://www.datarescue.com/idabase/ida.htm
Current thread:
- Scans... (was Re: 3 Solaris reboot in 3 days) Pierre Vandevenne (Aug 01)
- Re: Scans... (was Re: 3 Solaris reboot in 3 days) mixter (Aug 02)
- Re: Scans... (was Re: 3 Solaris reboot in 3 days) Pierre Vandevenne (Aug 02)
- Re: Scans... (was Re: 3 Solaris reboot in 3 days) Ben Laws (Aug 02)
- Re: Scans... (was Re: 3 Solaris reboot in 3 days) mixter (Aug 02)