Security Incidents mailing list archives

Re: Microsoft version.binding us now?

From: billm () DANGER MS (Bill Marquette)
Date: Thu, 1 Jun 2000 19:12:04 -0500

FromF5 tech support:


    The current methods of probing that we do are an ICMP ping a UDP or TCP
1/2 open
    socket connect which we gracefully shut down after. And in the soon to
be
    released 2.1 we have added two new protocols to the list, DNS_VER and
DNS_DOT.
    The DNS_VER is what he is seeing this is a less obtrusive method of
probing an
    LDNS. It is easy to set the version type of BIND to a bogus parameter
such as
    "chaos" or "go away". We don't care what the response is we are not
looking for
    the version just the response.

    You can also ask our customer to be removed their probing list.

The argument is of course ridiculous.  DNS_VER is NOT less obtrusive than
any of the other options they mentioned.

As a side note, can people PLEASE stop sending their "out of office"
messages to people posting to this list?

--Bill
--billm () danger ms

Current thread:

Re: Microsoft version.binding us now? Fernando Cardoso (May 30)
- <Possible follow-ups>
- Re: Microsoft version.binding us now? Klaus Steding-Jessen (May 30)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Thijs Eilander (May 30)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
  - Re: Microsoft version.binding us now? Richard Bejtlich (Jun 02)
  - Scan of the Week continued Lance Spitzner (Jun 03)
  - very strange scan patterns Joe H (Jun 05)
    - Re: very strange scan patterns John Kristoff (Jun 05)
    - Sub-7 Khan, Mansoor (Jun 05)
    - Re: Sub-7 James Stevenson (Jun 08)
    - Re: Sub-7 Matthew F. Caldwell (Jun 08)
    - Re: Sub-7 nine (Jun 08)
    - Strange scans - inquisitive question Paul Rogers (Jun 09)
    - Re: Strange scans - inquisitive question Valdis Kletnieks (Jun 11)

(Thread continues...)