sorry to ruin several of your evenings...

Christopher L. Morrow cmorrow at UU.NET
Tue Jan 30 21:37:15 UTC 2001



Ok, so perhaps my initial post was not prefaced correctly: "instead of
disallowing queries, change the version returned to something bogus on
your spankin' new upgraded 'must be secure cause paul said so' version of
BIND'?"

:) of course I'm not advocating leaving old/vulnerable versions of stuff
running... just denying the enemy intelligence they COULD use against you.

--Chris


On Tue, 30 Jan 2001, Jared Mauch wrote:

> 
> 	The problem is that there are those that do not have their
> sysadmin staff at proper levels or will use some configuration options
> to their advantage to save doing work.  These people should use caution
> if they go about it this way instead of upgrading.
> 
> 	You would be surprised how many requests i get for favico.ico on my
> web server still...
> 
> 	- Jared
> 
> On Tue, Jan 30, 2001 at 04:31:30PM -0500, Christopher L. Morrow wrote:
> > 
> > I didn't say I didn't upgrade :) I just said why give out info you don't
> > need to give out.
> > 
> > --Chris
> > 
> > On Tue, 30 Jan 2001, Jared Mauch wrote:
> > 
> > > 
> > > 	The key here is that if you're going to spend time faking the
> > > real response of a query that time may be best spent fixing the
> > > real problem.
> > > 
> > > 	People who will now complain about the number of machines they
> > > need to upgrade, etc.. should now evaluate the costs of running an internet
> > > connected network.  If these costs or risks are too high for you perhaps
> > > you need to evaluate your internet connection policies.
> > > 
> > > 	- Jared
> > > 
> > > On Tue, Jan 30, 2001 at 09:32:24PM +0000, bmanning at vacation.karoshi.com wrote:
> > > > 
> > > >  lets see... (from previous discussions on the usefullness of tweeking
> > > >  the version)
> > > > 	
> > > > 	wearing my blackhat, i have to decide which system is worthty
> > > > 	of my talents... which one should I pick?
> > > > 
> > > > 	version "bad-ass-bind";  	
> > > > 	-or-
> > > > 	version "9.1.0"
> > > > 
> > > >  of course I could be running 4.8.1 and simply recompile so it _reports_
> > > >  a bogus version but the profile of a 9.1.0 code base is -very- distinct
> > > >  from a 4.8.1 code base... esp on replies to queries.
> > > > 
> > > >  Pick your targets carefully.
> > > > 
> > > > 
> > > > 
> > > > > Why not jus return some 'bogus' version ??? like this option allows:
> > > > > 
> > > > > version "bad-ass-bind";
> > > > > 
> > > > > :)
> > > > > 
> > > > > --Chris
> > > > > 
> > > > > #######################################################
> > > > > ## UUNET Technologies, Inc.                          ##
> > > > > ## Manager                                           ##
> > > > > ## Customer Router Security Engineering Team         ##
> > > > > ## (W)703-289-8479 (C)703-283-3734                   ##
> > > > > #######################################################
> > > > > 
> > > > > On Tue, 30 Jan 2001, Stephen Stuart wrote:
> > > > > 
> > > > > > 
> > > > > > > While it's not exactly a problem, it does give away that you're running
> > > > > > > bind9 (I do like the new 'version' option where you can set the
> > > > > > > version.bind reply) even if you change the version to appear to be a bind8
> > > > > > > server.
> > > > > > 
> > > > > > "allow-query" lets you control who can see that information:
> > > > > > 
> > > > > > zone "bind" chaos { 
> > > > > >         allow-query {
> > > > > >                 127.0.0.1 ;
> > > > > >                 xxx.xxx.xxx.xxx/len ;
> > > > > >         } ;
> > > > > >         type master; 
> > > > > >         file "filename"; 
> > > > > > };
> > > > > > 
> > > > > > Stephen
> > > > > > 
> > > > > 
> > > > > 
> > > > 
> > > 
> > > -- 
> > > Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> > > clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
> > > END OF LINE  | Manager of IP networks built within my own home
> > > 
> 
> -- 
> Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
> END OF LINE  | Manager of IP networks built within my own home
> 





More information about the NANOG mailing list