[1868] in linux-security and linux-alert archive
[linux-security] Re: More BIND information.
daemon@ATHENA.MIT.EDU (Craig H. Rowland)
Mon Jun 15 02:27:23 1998
Date: Sat, 13 Jun 1998 13:41:11 -0400 (EDT)
From: "Craig H. Rowland" <crowland@psionic.com>
Reply-To: "Craig H. Rowland" <crowland@psionic.com>
To: linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.96.980609223239.15264A-100000@dolemite.psionic.com>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Tue, 9 Jun 1998, Craig H. Rowland wrote:
> Hello,
>
> It's been barely a week since DNS exploits were made public and
> already people are scanning blocks of addresses looking for DNS version
> numbers!
A few things on some comments received:
1) Several people have taken my original post to mean I endorse security
through obscurity by removing the version number from BIND. This is not
true, I changed the version number returned more as a "Hello, I know
you're there" than as a security measure of any type. An attacker, unable
to obtain version information, is going to try their attack *anyway*. Why?
Because it's the only tool they have and they were going to use it
regardless of a patched version or not. This is just how a lot of the
intruders running scripts work. They fish around with their bag-o-tricks
until one works and they often don't care if you are seemingly patched
against the hole or not.
Most burglaries of homes are stopped not with the sound of a siren, but
with the stickers on the windows notifying the intruder of the prescence
of an alarm. I like to apply the same principle when securing hosts to let
a person know that the admin is watching and will probably be alerted to
their actions. Maybe the person will get the message and move on somewhere
else (or maybe they'll try harder to get in :) ).
2) Other points raised include the usefulness of returning the version
information for debugging DNS issues. This is a very valid reason, however
as an admin of a DNS server I would rather have you *write me* to ask
about problems you are having with my DNS service so I can assist rather
than you start poking around remotely. IMHO
3) Some have mentioned that querying DNS version numbers is frequently
done and is not suspicious. I disagree with this for a couple of reasons:
- Times have changed. If someone was querying DNS version
information a few months ago, I would have found it suspicious, but would
probably have let it slide (well not quite, I would have been watching for
them to return). As new attacks have emerged to target vulnerable DNS
servers though, I believe that admins will find these queries are going
to skyrocket. I'll venture to guess most of these queries will not be for
debugging anything except: a) shell code or b) to find vulnerable boxes
without trying exploits on large lists of addresses.
- It was once true that features like VRFY and EXPN in SMTP were
useful for debugging mail connections too and were completely innocent.
This of course is no longer the case as people abuse these tools to pull
valuable recon information from target hosts. The same goes for other
features in protocols like mail relaying, FTP port redirection ("FTP
bounce"), Finger, etc. Once potentially useful features are now
increasingly dangerous holes "in today's increasingly imbecile
Internet"[1].
4) Whenever a human is directly interacting with a network daemon in a
non-typical fashion the administrators of the remote site needs to know
about it. This is always a very suspicious event when the majority of a
network daemon's traffic is server -> server/client operations as it is
with BIND.
5) Other suspicious events in BIND are written to logs (i.e. denied zone
transfers), I think that version requests should fall into the same
category.
6) LaMont Jones posted to Bugtraq a solution which appears to be a lot
cleaner than patching the sources:
>Date: Fri, 12 Jun 1998 15:28:39 -0600
>From: LaMont Jones <lamont@CRANSTON.FC.HP.COM>
>To: BUGTRAQ@NETSPACE.ORG
>Subject: Re: Silly patch to report version.bind requests
>
>> I wrote this patch for BIND 8.1.2 that will change the version number
>> returned and (most importantly) write to your logs that a person
>> attempted to do so.
>
>Rather than hacking on the source, just do the following with the stock
>distribution:
>
>in named.conf:
>zone "bind" chaos { allow-query {localhost; }; type master; file
>"pri/bind"; };
>
>and in pri/bind:
>$ORIGIN bind.
>@ 1D CHAOS SOA localhost. root.localhost. (
> 1 ; serial
> 3H ; refresh
> 1H ; retry
> 1W ; expiry
> 1D ) ; minimum
> CHAOS NS localhost.
>
>Presto - log messages for denied queries, and no changes to the code.
>
>lamont
7) Administrators should be provided with as much useful information from
their computer systems as possible so they can decide what to ignore and
what to pay heed to. This was the main point of the patch.
-- Craig
[1] From majordomo.cf file when describing the virtue of running a list
with confirmation turned on after the non-confirmation feature was
presumably abused by mail-bomb scripts.
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null