nanog mailing list archives
Re: SERVER NAMES
From: Joe Shaw <jshaw () insync net>
Date: Thu, 3 Feb 2000 01:48:47 -0600 (CST)
On Wed, 2 Feb 2000, Patrick Greenwell wrote:
Sure. Esp. for blackhats. Which makes the more "attactive" target; db.accounting.bigcorp.com foozlebutt.bigcorp.comDo we need to re-visit the "security through obscurity" argument here?
I think some level of obscurity is needed when it comes to DNS names. Think about how many people still include things like HINFO, WKS, AFSDB, X25, ISDN, and RT records in their zone files. It's a lot less common than it used to be, though I come across them every so often. The idea is that by obscuring some areas of information via certain services, it will be easier to catch Cracker X via an IDS, firewall, etc. when he/she has to use alternate means to get the information he/she wants. Example: Company A has a big bad firewall and IDS setup that they paid a lot of money for to stop people from trying to mount attacks into their soft, chewy corporate network, full of confidential information and R&D boxes. So, they can do such neat things as detect portscans and block incoming traffic from the offending host and other such things in an effort to help keep information about their network a secret. Not a bad thing, really, though the ability for network security hardware to make decisions on it's own still makes me a bit uneasy, but that's getting off on a tangent. So, they've got this great setup, but they've been kind enough to provide you with WKS and HINFO records and the ability to transfer their entire zone file(s). Then you've got an instant list of servers and what OS/services they are running without ever using nmap/strobe, making all that money invested in the firewall and IDS somewhat of a waste. It's certainly self-defeating. I've found large companies who seem to have a SysAdmin group handling all the servers/services (DNS) and a Networking group handling the firewalls and IDS don't seem to communicate very well. It comes down to a case of the right hand not knowing exactly what the left is doing, and it's detrimental to the security posture of any company. But, in some cases this can work to your advantage. You can name a honeypot machine customerbillingdb.company.com with HINFO of something really exploitable like RedHat 5.1 or an old Solaris version and see what kind of things happen. Wow, pseudo-operational content about the effectiveness of hostnames. -- Joseph W. Shaw - jshaw () insync net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am."
Current thread:
- Re: NON-OP RE: SERVER NAMES, (continued)
- Re: NON-OP RE: SERVER NAMES J.D. Falk (Feb 02)
- Re: NON-OP RE: SERVER NAMES Adrian Chadd (Feb 02)
- Re: NON-OP RE: SERVER NAMES Ryan Tucker (Feb 02)
- Re: NON-OP RE: SERVER NAMES Sam Thomas (Feb 02)
- Re: SERVER NAMES Steve Dispensa (Feb 02)
- Re: SERVER NAMES Patrick Greenwell (Feb 02)
- Re: SERVER NAMES bmanning (Feb 02)
- Re: SERVER NAMES Patrick Greenwell (Feb 02)
- RE: SERVER NAMES Roeland M.J. Meyer (Feb 02)
- RE: SERVER NAMES Patrick Greenwell (Feb 02)
- Re: SERVER NAMES Joe Shaw (Feb 02)
- Re: SERVER NAMES Patrick Greenwell (Feb 02)
- Re: SERVER NAMES Forrest W. Christian (Feb 02)
- Re: SERVER NAMES Richard Irving (Feb 02)
- Re: SERVER NAMES Steve Sobol (Feb 02)
- Re: SERVER NAMES Patrick Evans (Feb 03)
- Re: SERVER NAMES Gregory A. Carter (Feb 03)
- Re: SERVER NAMES Dave Bergum (Feb 02)