Blocking version information

Bill Larson wllarso at swcp.com
Mon Jun 20 18:04:16 UTC 2005


On Jun 20, 2005, at 9:54 AM, Stephane Bortzmeyer wrote:

> On Mon, Jun 20, 2005 at 10:04:02AM -0500,
>  Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote
>  a message of 26 lines which said:
>
>> If I had a script that exploited a vulnerability
>
> You do not even need to perform thought experiments ("If I
> had..."). Just look at actual worms and viruses. As you say, they
> follow the easiest path. Worms that exploit a vulnerability of
> Microsoft IIS do not even check that the remote HTTP server is IIS or
> Apache or else. They just try (and fill in the logs of everyone).

The argument that there are scripts that check the version of BIND 
prior to an attack is commonly given as a justification for obfuscating 
the version number.  Can anyone provide an example of an actual virus 
or exploit that has widely taken place on the Internet to back up this 
claim?  Or, as Barry suggested, have these attacks simply hit the 
systems without regard to the BIND version being run.

Doing a brief search, I found one situation where people were worried 
about seeing "version.bind" DNS queries.  The follow up indicated that 
this was done for a wide spread host risk assessment rather than any 
"attack".  
(http://lists.sans.org/pipermail/list/2005-January/088117.html)

In the CIAC K-050 announcement, there was the statement that "scans are 
looking for systems running BIND versions 8.2, 8.2.1, or 8.2.2."  Does 
this really mean that someone was specifically looking for those 
specific versions of BIND or that those versions of BIND were 
vulnerable to the attack that was used?

If someone were to be able to say that there is/was an active exploit 
that did actually check the version of BIND running preceding the 
actual attack, this would give credence to the security people that say 
that hiding this version information is necessary, or at least useful.  
If they say that having access to this version information "may" make 
the system a target for an attack, then they need to demonstrate that 
hiding this information will actually prevent some attack - i.e., tell 
me of an example of where this information was being used.

As I said earlier, I fully agree that hiding this version information 
is futile.  It will not prevent an attack, and as Barry and Stephane 
pointed out, this information is not necessarily used during an attack.

Bill Larson



More information about the bind-users mailing list