[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: Probes from Microsoft
From:       Jose Nazario <jose () BIOCSERVER ! BIOC ! CWRU ! EDU>
Date:       2001-02-25 0:17:39
[Download RAW message or body]

On Fri, 23 Feb 2001, Ryan W. Maple wrote:

>   Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer
> (BSDI kernel/x86)

> Now I'm not going to call up Microsoft and say "I think you are
> hacked" because I don't really feel like going through all the work to
> find out who to contact, and all that.  I have cc:'d
> secure@microsoft.com on this message so hopefully somebody there will
> investigate.

hi ryan

no. i don't think they're hacked. we went through this last year on the
INCIDENTS list right about the time that the ADMrocks stuff was big, what
with version.bind queries coming from the hackers and all. F5 also does
version.bin queries to gauge route trip times. then this information is
used to give you an optimal server.

anyhow, i spoke last year with an engineer from F5 (the BigIP folks) about
this. it's an unfortunate timing, then and now, with BIND exploits making
the rounds that they're using version.bind queries to gauge metrics. the
reasoning i recall is that the version info in your DNS server should be
nearly a zero operation answer for the server, meaning it doesn't add load
to the server when you get queried. (personally, i'm more in favor of TCP
pings to gauge reliable metrics of latency.)

check the INCIDENTS archives, i think this F5/BipIP stuff came to light
there. you're probably seeing this again.

as for ways to disable BIND's version.bind information leak, again, see
these achives.

____________________________
jose nazario						     jose@cwru.edu
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

[prev in list] [next in list] [prev in thread] [next in thread]