Blocking version information
Bill Larson
wllarso at swcp.com
Mon Jun 20 18:04:16 UTC 2005
On Jun 20, 2005, at 9:54 AM, Stephane Bortzmeyer wrote:
> On Mon, Jun 20, 2005 at 10:04:02AM -0500,
> Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote
> a message of 26 lines which said:
>
>> If I had a script that exploited a vulnerability
>
> You do not even need to perform thought experiments ("If I
> had..."). Just look at actual worms and viruses. As you say, they
> follow the easiest path. Worms that exploit a vulnerability of
> Microsoft IIS do not even check that the remote HTTP server is IIS or
> Apache or else. They just try (and fill in the logs of everyone).
The argument that there are scripts that check the version of BIND
prior to an attack is commonly given as a justification for obfuscating
the version number. Can anyone provide an example of an actual virus
or exploit that has widely taken place on the Internet to back up this
claim? Or, as Barry suggested, have these attacks simply hit the
systems without regard to the BIND version being run.
Doing a brief search, I found one situation where people were worried
about seeing "version.bind" DNS queries. The follow up indicated that
this was done for a wide spread host risk assessment rather than any
"attack".
(http://lists.sans.org/pipermail/list/2005-January/088117.html)
In the CIAC K-050 announcement, there was the statement that "scans are
looking for systems running BIND versions 8.2, 8.2.1, or 8.2.2." Does
this really mean that someone was specifically looking for those
specific versions of BIND or that those versions of BIND were
vulnerable to the attack that was used?
If someone were to be able to say that there is/was an active exploit
that did actually check the version of BIND running preceding the
actual attack, this would give credence to the security people that say
that hiding this version information is necessary, or at least useful.
If they say that having access to this version information "may" make
the system a target for an attack, then they need to demonstrate that
hiding this information will actually prevent some attack - i.e., tell
me of an example of where this information was being used.
As I said earlier, I fully agree that hiding this version information
is futile. It will not prevent an attack, and as Barry and Stephane
pointed out, this information is not necessarily used during an attack.
Bill Larson
More information about the bind-users
mailing list