nanog mailing list archives
Re: Update to BCP-38?
From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 9 Oct 2019 04:25:48 -0400
On Tue, Oct 08, 2019 at 10:03:16AM -0700, William Herrin wrote:
Limiting the server banner so it doesn't tell an adversary the exact OS-specific binary you're using has a near-zero cost and forces an adversary to expend more effort searching for a vulnerability.
Why would they bother performing that search? Why not use their botnets to throw every exploit they have at a service and see if anything works? That's easier and cheaper and faster than being selective. It also -- if they have happen to have a working exploit -- blows right past (announced) versions, whether real, fake, or elided. Brute force is cheap, analysis is expensive. Case in point: every mail server I have eyeballs on was probed by attackers trying to exploit the recent exim vulnerability -- no matter what MTA they're running, no matter that they all announce the MTA and version, no matter anything. I doubt I'm alone in observing this. Even a diligent, capable attacker -- someone who is willing to invest the time and effort to ascertain what's running which service, down to the version -- could save themselves some homework by launching an attack like the one in the first paragraph above, examining the results, and using those to greatly reduce their search space. It's easy, it's cheap, it's fast, it's automated, and it yields no clues as to where the followup (version-specific) attack is going to come from. ---rsk
Current thread:
- Re: Update to BCP-38?, (continued)
- Re: Update to BCP-38? Mike Meredith via NANOG (Oct 08)
- Re: Update to BCP-38? Rich Kulawiec (Oct 08)
- RE: Update to BCP-38? Mark Collins (Oct 08)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)
- Re: Update to BCP-38? Mike Meredith via NANOG (Oct 09)
- Re: Update to BCP-38? William Herrin (Oct 08)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)
- Re: Update to BCP-38? Valdis Klētnieks (Oct 08)
- Re: Update to BCP-38? Mark Collins (Oct 10)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)
- Re: Update to BCP-38? Rich Kulawiec (Oct 09)
- Re: Update to BCP-38? Fred Baker (Oct 03)
- Re: Update to BCP-38? Stephen Satchell (Oct 03)
- Re: Update to BCP-38? Fred Baker (Oct 03)