|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Scans... (was Re: 3 Solaris reboot in 3 days)
From: Pierre Vandevenne (pierre
DATARESCUE.COM)Date: Tue Aug 01 2000 - 19:36:26 CDT
- Next message: Brian Burns: "Re: Can anyone identify this?"
- Previous message: Richard Johnson: "Re: SMB / NetBIOS Connections"
- Next in thread: J. Oquendo: "Re: 3 Solaris reboot in 3 days"
- Maybe reply: Pierre Vandevenne: "Re: Scans... (was Re: 3 Solaris reboot in 3 days)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 2 Aug 2000 02:43:20 +0300 (IDT), mixter2xs.co.il wrote:
> Also, a non-intrusive querying for bind versions,
> to get a better perspective of security by gathering
> demographic data of the used bind versions (with bind being arguably the most
>often exploited service recently).
Precisely. If you see it from the "scannee" point of view, how does he
distinguish that from a "recon" operation by a script kiddie preparing
a bind exploit ?
>After our scan of some 16.581.375 addresses
>for just this information, all that we have received were 3 requests to explain
>our activity, which we promptly did.
Well, kind of... :-) Anyway, will the data you gathered from the
survey made public ? What you found should be statistically
interesting.
>I noticed you mention BlackICE on Windows 98. From my experience, it is a very
>sensitive type of IDS, that can create extensive log entries, for example
>"DNS port probe" for just receiving an udp/53 packet, and "BIND version
>request" additionally to the first notice. That might be why you originally
>considered this incident more than a simple version query.
In fact, the cisco log was what grabbed my attention first, then
BlackIce, then two other logging / protection mechanisms we have in
place on our network and which I shall not describe publically <G>.
Anyway I consider that a version query on our DNS software is an
agressive behaviour - that's why I brought the matter here btw - I'd
like to know how other people feel about that. Is there really any
legitimate reason to scan a full class C for BIND versions ? You were
scanning for vulnerabilities, with a white hat - but how can the target
of a scan tell the colour of the scanner's hat ? Noticing that the
attack came from a company raised my level of alarm btw - I suspected
you had more resources than the average script kiddie and therefore
represented a greater danger. Heuristics, you have no choice but to
apply some in life... Another point : I have no choice but to loose
_some_ time evaluating your scan when I notice it. As a busy person I'd
rather avoid that. OTOH, surveys are useful - no doubt about that.
As far as BlackIce is concerned, yes I tend to agree with you, it is
way too sensitive for the casual user, even in cautious mode - that is
why we only use it on one WS, as a kind of watchdog. But it still
remains a great, generally reliable, useful tool and the support was
top notch when I contacted them about early versions.
Kind Regards
Pierre
--- Pierre Vandevenne - DataRescue sa/nv Home of the IDA Pro Disassembler http://www.datarescue.com/idabase/ida.htm
- Next message: Brian Burns: "Re: Can anyone identify this?"
- Previous message: Richard Johnson: "Re: SMB / NetBIOS Connections"
- Next in thread: J. Oquendo: "Re: 3 Solaris reboot in 3 days"
- Maybe reply: Pierre Vandevenne: "Re: Scans... (was Re: 3 Solaris reboot in 3 days)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]