Update to BCP-38?

Rich Kulawiec rsk at gsp.org
Wed Oct 9 08:25:48 UTC 2019


On Tue, Oct 08, 2019 at 10:03:16AM -0700, William Herrin wrote:
> Limiting the server banner so it doesn't tell an adversary the exact
> OS-specific binary you're using has a near-zero cost and forces an
> adversary to expend more effort searching for a vulnerability.

Why would they bother performing that search?  Why not use their botnets
to throw every exploit they have at a service and see if anything works?
That's easier and cheaper and faster than being selective.  It also --
if they have happen to have a working exploit -- blows right past
(announced) versions, whether real, fake, or elided.

Brute force is cheap, analysis is expensive.

Case in point: every mail server I have eyeballs on was probed by
attackers trying to exploit the recent exim vulnerability -- no matter
what MTA they're running, no matter that they all announce the MTA and
version, no matter anything.  I doubt I'm alone in observing this.

Even a diligent, capable attacker -- someone who is willing to invest
the time and effort to ascertain what's running which service, down
to the version -- could save themselves some homework by launching an
attack like the one in the first paragraph above, examining the results,
and using those to greatly reduce their search space.  It's easy, it's
cheap, it's fast, it's automated, and it yields no clues as to where
the followup (version-specific) attack is going to come from.

---rsk



More information about the NANOG mailing list