Scans... (was Re: 3 Solaris reboot in 3 days)

[Pierre Vandevenne <pierre () datarescue com>]

On Fri, 28 Jul 2000 23:33:28 +0300, mixter () 2XS CO IL wrote:

First of all, I would like to say that this message is not intended as
a complaint, but rather as an opportunity to open a discussion. As far
as we are concerned, the incident is closed. But since both 2XS and us
are connected to this list and since we have a most talented
membership, I thought that it could be interesting to get your ideas,
feedback, especially on the ethical aspects of this situation.

On the 26th of June, probes from your company reached our class-C.
Among many events that we have extensively logged, we noted a
particular interest for our DNS system. Somehow you were interested in
the versions of BIND that we were running, so interested in fact that
you felt the need to request information from all of our machines. Here
is for example a blackice log of one of our Windows 98 machines that
wasn't of course running any DNS server...

39, 2000-06-26 10:36:56, 2000417, DNS BIND version request, 62.0.29.50,
2xs.co.il, 195.0.122.9, , , 1, A
39, 2000-06-26 10:36:56, 2003409, DNS port probe, 62.0.29.50,
2xs.co.il, 195.0.122.9, , port=53, 1, A

and a log from our cisco router that did not appear to like some of the
packets you sent

Jun 26 10:57:20 csco 86943: %SEC-6-IPACCESSLOGP: list 101 denied udp
62.0.29.50(2612) -> 195.0.122.10(53), 1 packet
Jun 26 10:57:20 csco 86944: %SEC-6-IPACCESSLOGP: list 101 denied udp
62.0.29.50(2612) -> 195.0.122.64(53), 1 packet
Jun 26 10:57:20 csco 86945: %SEC-6-IPACCESSLOGP: list 101 denied udp
62.0.29.50(2612) -> 195.0.122.66(53), 1 packet
Jun 26 10:57:20 csco 86946: %SEC-6-IPACCESSLOGP: list 101 denied udp
62.0.29.50(2612) -> 195.0.122.67(53), 1 packet
Jun 26 10:57:20 csco 86947: %SEC-6-IPACCESSLOGP: list 101 denied udp

(these are fragments of logs of course, we have archived quite a bit of
interesting information regarding this case).

Was this an attack against our network ? We are aware of many attacks
beginning by a bind vulnerability scan. If that wasn't an attack and
just was a mere survey, is that type of survey acceptable behaviour ?

We notified 2xs of what was going on and got this response

***
Dear Mr. Vandevenne,

the included scan logs just show that udp packets from our domain were
sent to your host(s) to port 53/udp, and blocked by your router's
ACL's.
Without analyzing the content of these packets, you cannot make any
claims
about their purpose. What we did was query the name server version on a
certain network block that included your network. This kind of traffic
is
not intrusive, illegal, nor does it constitute 'hack attacks' in any
way.
As a matter of fact, you are connected to a public network, the
internet,
and implicitly accept any traffic to your network that you don't block.
However,
you even blocked the traffic and it never reached the actual
destination
systems, which is why we don't understand how you can actually claim
you
knew its purpose. If you have any valid claims to make, we are
listening.
If you wish us to totally exclude your netblock from outgoing traffic
from
our network to the internet, please send a request including your
netblock(s)
in CIDR notation to info () 2xs co il, and we will never contact them
again.

Sincerely,

2xs, Incident Response Team
abuse () 2xs co il

***

Is that an acceptable response ? We all know of the severe BIND
vulnerabilities and their potential consequences. On the whole, is that
type of behaviour acceptable ? We have two DNS servers on our network -
they are publically accessible. Did they need to scan ALL machines ?
What would you sysadmin do ? File a formal complaint ? Counter Attack ?
 Would you entrust a company that behaves like this with your security
?

What do you think ? What would you do if it was your network ?







---
Pierre Vandevenne - DataRescue sa/nv
Home of the IDA Pro Disassembler
http://www.datarescue.com/idabase/ida.htm