[34193] in North American Network Operators' Group
calling attention to servers
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Tue Jan 30 18:40:15 2001
From: bmanning@vacation.karoshi.com
Message-Id: <200101302356.XAA22164@vacation.karoshi.com>
To: cmorrow@UU.NET
Date: Tue, 30 Jan 2001 23:56:06 +0000 (UCT)
Cc: nanog@merit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Its a honeypot Chris.... if the goal is to deny intel, don't
spraypaint it a neon green. Camo is much nicer... if that is the
tactic you wish to take.
>
> attack away... it's a bit harder to figure out what it is... and bind's
> not exploitable (at least not yet...) so as long as all other things are
> 'ok' I'm just denying intel to the 'enemy'... besides, tcp queries are
> verboten anyway :)
>
> --Chris
>
>
> On Tue, 30 Jan 2001 bmanning@vacation.karoshi.com wrote:
>
> > lets see... (from previous discussions on the usefullness of tweeking
> > the version)
> >
> > wearing my blackhat, i have to decide which system is worthty
> > of my talents... which one should I pick?
> >
> > version "bad-ass-bind";
> > -or-
> > version "9.1.0"
> >
> > of course I could be running 4.8.1 and simply recompile so it _reports_
> > a bogus version but the profile of a 9.1.0 code base is -very- distinct
> > from a 4.8.1 code base... esp on replies to queries.
> >
> > Pick your targets carefully.
> >
> >
> >
> > > Why not jus return some 'bogus' version ??? like this option allows:
> > >
> > > version "bad-ass-bind";
> > >
> > > :)
> > > >
> > > > --Chris
> > > >
> > > > #######################################################
> > > > ## UUNET Technologies, Inc. ##
> > > > ## Manager ##
> > > > ## Customer Router Security Engineering Team ##
> > > > ## (W)703-289-8479 (C)703-283-3734 ##
> > > > #######################################################
> > > >
