RE: Strange domain-udp signature
From: Sudom, Don (dsudom1_at_wcb.bc.ca)
Date: 07/17/03
- Previous message: Quarantine: "RE: Cisco IOS vulnerability"
- Maybe in reply to: Sudom, Don: "Strange domain-udp signature"
- Next in thread: Ed Allen Smith: "RE: Strange domain-udp signature"
- Reply: Ed Allen Smith: "RE: Strange domain-udp signature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Jul 2003 12:10:51 -0700 To: "Stong, Ian C. (Contractor)" <StongI@ncr.disa.mil>, "Ed Allen Smith" <easmith@beatrice.rutgers.edu>
It may be common practice for some vendors... However, active
reconnasance and
network mapping is unethical regardless of the intent. There are
passive techniques
that these vendors can employ to accomplish this task. I actually have
an FAQ from
one of these vendors that suggests that everyone permit ICMP traffic so
that they can
"statically map" the network to determine the optimal path. You can go
ahead and permit
ICMP to your network if you like, but I won't be opening mine any time
soon.
Also, I don't have a problem with a couple of probes, but these devices
are relentless.
They should be smart enough to remove a node from it's list should an
answer not be forthcoming.
Don
-----Original Message-----
From: Stong, Ian C. (Contractor) [mailto:StongI@ncr.disa.mil]
Sent: Thursday, July 17, 2003 11:59 AM
To: Sudom, Don; Ed Allen Smith
Cc: incidents@lists.securityfocus.com
Subject: RE: Strange domain-udp signature
It's very common for DNS load balancers to be configured to "query"
destinations to determine response time and delay. This information is
then
stored and referenced when a DNS request comes in such that the response
given to the request is based on the best path as of the last snapshot.
No harm done - but some don't like it as you have to dig further to find
out
if it's legitimate query traffic or probes that are precursor to
attacks.
Ian
-----Original Message-----
From: Sudom, Don [mailto:dsudom1@wcb.bc.ca]
Sent: Thursday, July 17, 2003 1:23 PM
To: Ed Allen Smith
Cc: incidents@lists.securityfocus.com
Subject: RE: Strange domain-udp signature
I've done some more digging and this particular signature is
from a dns global load balancer designed and used by speedera.com.
Very annoying, and as far as I'm concerned unauthorized active recon
is unethical.
Don
------------------------------------------------------------------------
---- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
- Previous message: Quarantine: "RE: Cisco IOS vulnerability"
- Maybe in reply to: Sudom, Don: "Strange domain-udp signature"
- Next in thread: Ed Allen Smith: "RE: Strange domain-udp signature"
- Reply: Ed Allen Smith: "RE: Strange domain-udp signature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
