Re: Microsoft version.binding us now?

[billm () DANGER MS (Bill Marquette)]

I've already sent email to the tech people at F5 asking if their product
does this in normal operation.  As I find out information I'll definately
post it here.  We may end up using our corporate weight with Microsoft to
dig into this a little farther.  I hate to just outright dig at Microsoft,
but this is ridiculous, there's no reason for their product to do this
unless it's broken.  Query types of TXT w/ a class of CHAOS and a query of
"VERSION.BIND" doesn't exactly "just happen" from a malformed packet.

--Bill
--billm () danger ms
----- Original Message -----
From: "Klaus Steding-Jessen" <jessen () NIC BR>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, May 30, 2000 10:18 AM
Subject: Re: Microsoft version.binding us now?

<snip>

> > From: ITG Information Security Center <infosec () microsoft com>
> > Sender: Greg Galford <ggalford () microsoft com>
> > Subject: FW: SECURITY: Hacking activity from your domain
> > Date: Fri, 26 May 2000 07:31:42 -0700
> > X-Mailer: Internet Mail Service (5.5.2651.58)
> >
> >
> > Hi, these packets you are seeing are not probes, but are coming from
> > an F5 networks product, 3dns (see:
> > http://www.f5.com/3dns/index.html).
>
> [snip]
>
> Hard to believe that 3dns is using version.bind probes to collect RTT
> information.  Can anyone confirm this?
>
> Klaus.