Security Incidents mailing list archives
Re: Microsoft version.binding us now?
From: billm () DANGER MS (Bill Marquette)
Date: Sat, 24 Jun 2000 10:23:31 -0500
Unfortunately, there seems to have been an epidemic increase in usage of the various features of the F5 3dns product. In the last week alone we've identified another 5 3dns customers based on the query signatures alone (of which we're still blocking). This has got me wondering if there's any nasty games that could be played seeing as these are automated responses to hits on web servers. What I find most annoying about this is that multi homed networks utilizing internal squid proxies and the round robining capabilities to load balance web usage makes 3DNS triangulation pointless. Traffic from our network rarely ever follow the same path out on subsequent requests. Has anyone thought of a way to ferret out 3DNS signatures versus positive cracker attempts? While a human can see a pattern in the 3DNS queries, automation can't (that I know of) and stupidly emails (and occasionally pages) us from these false positives. Since I know there's at least one F5 person on this list, maybe he can answer :) Is there anything unique about the signature that we can watch for? OTOH, maybe we don't want to know, I'd rather have the false positives than find a way to ignore the false positive and have some kid create a scanner based on that signature. So I guess a better question would be, if we actively block version.bind and "." requests in our bind configs, does 3DNS still get useful information to calculate RTT? If not, would F5 consider making it clear in their documentation that numerous admins block such requests? For the record, I know of at least one 3DNS user that got hounded the day they started using the product. I suspect they started using the other RTT features of the product to stop getting calls and emails from angry admin staff (one of them being us giving them a friendly call telling them they'd possibly been cracked). --Bill Bill Marquette billm () danger ms ----- Original Message ----- From: "Oliver Friedrichs" <ofriedrichs () SECURITYFOCUS COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Friday, June 23, 2000 4:37 PM Subject: Re: Microsoft version.binding us now?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also note that commercial security scanners like CyberCop Scanner and ISS have pulled version.bind information for years now. I'd still suspect that in Microsoft's case, it is infact their load balancing solution, which the vendor indeed verified. Oliver
Current thread:
- Re: very strange scan patterns, (continued)
- Re: very strange scan patterns Ejovi Nuwere (Jun 07)
- hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
- Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
- UDP Port 2078 Dundo (Jun 08)
- New KAK worm distribution out Roy Wilson (Jun 08)
- Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
- port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)
- Re: Microsoft version.binding us now? Tom Kee (Jun 03)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 22)
- Re: Microsoft version.binding us now? Oliver Friedrichs (Jun 23)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
- Re: Microsoft version.binding us now? John Hall (Jun 27)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
- Re: Microsoft version.binding us now? Rune Kristian Viken (Jun 28)