Re: Scans... (was Re: 3 Solaris reboot in 3 days)

[Pierre Vandevenne <pierre () datarescue com>]

On Wed, 2 Aug 2000 02:43:20 +0300 (IDT), mixter () 2xs co il wrote:

> Also, a non-intrusive querying for bind versions,
> to get a better perspective of security by gathering
> demographic data of the used bind versions (with bind being arguably the most
> often exploited service recently).

Precisely. If you see it from the "scannee" point of view, how does he
distinguish that from a "recon" operation by a script kiddie preparing
a bind exploit ?

> After our scan of some 16.581.375 addresses
> for just this information, all that we have received were 3 requests to explain
> our activity, which we promptly did.

Well, kind of... :-)  Anyway, will the data you gathered from the
survey made public ? What you found should be statistically
interesting.

> I noticed you mention BlackICE on Windows 98. From my experience, it is a very
> sensitive type of IDS, that can create extensive log entries, for example
> "DNS port probe" for just receiving an udp/53 packet, and "BIND version
> request" additionally to the first notice. That might be why you originally
> considered this incident more than a simple version query.

In fact, the cisco log was what grabbed my attention first, then
BlackIce, then two other logging / protection mechanisms we have in
place on our network and which I shall not describe publically <G>.
Anyway I consider that a version query on our DNS software is an
agressive behaviour - that's why I brought the matter here btw - I'd
like to know how other people feel about that. Is there really any
legitimate reason to scan a full class C for BIND versions ? You were
scanning for vulnerabilities, with a white hat - but how can the target
of a scan tell the colour of the scanner's hat ?  Noticing that the
attack came from a company raised my level of alarm btw - I suspected
you had more resources than the average script kiddie and therefore
represented a greater danger. Heuristics, you have no choice but to
apply some in life... Another point : I have no choice but to loose
_some_ time evaluating your scan when I notice it. As a busy person I'd
rather avoid that. OTOH, surveys are useful - no doubt about that.

As far as BlackIce is concerned, yes I tend to agree with you, it is
way too sensitive for the casual user, even in cautious mode - that is
why we only use it on one WS, as a kind of watchdog. But it still
remains a great, generally reliable, useful tool and the support was
top notch when I contacted them about early versions.

Kind Regards
Pierre


---
Pierre Vandevenne - DataRescue sa/nv
Home of the IDA Pro Disassembler
http://www.datarescue.com/idabase/ida.htm