Bugtraq mailing list archives

Silly patch to report version.bind requests

From: crowland () PSIONIC COM (Craig H. Rowland)
Date: Wed, 10 Jun 1998 17:18:45 -0400


Hello,

I wrote this patch for BIND 8.1.2 that will change the version number
returned and (most importantly) write to your logs that a person attempted
to do so.


To apply:

cd src/bin/named
patch < patchfile.name
re-compile and run (preferably chrooted())

(See http://www.psionic.com/papers/dns.html or
http://www.homeport.org/~adam/dns.html for more information)


Test using command:

dig @127.0.0.1 version.bind chaos txt

You should see "Go away." come back instead of the BIND version number and
your log should have an "attackalert" message in it with the IP of the
perpetrator. This can be grep'd for if you use an automated logfile
auditing tool like swatch or <ahem> logcheck, which already looks for
this keyword:

http://www.psionic.com/abacus/abacus_logcheck.html

;)

While I don't suspect this will break anything, I would like to hear if it
does. I've been running the patch without incident, but no guarantees as
usual.


Thanks,

-- Craig





*** ns_req.c    Tue Jun  9 21:56:26 1998
--- ns_req.new  Tue Jun  9 21:46:58 1998
***************
*** 665,673 ****
                PUTLONG(0, *cpp);               /* TTL */
                tp = *cpp;                      /* Temp RdLength */
                PUTSHORT(0, *cpp);
!               copyCharString(cpp, ShortVersion);
                PUTSHORT((*cpp) - (tp + INT16SZ), tp);  /* Real RdLength */
                *msglenp = *cpp - msg;          /* Total message length */
                return (Finish);
        }

--- 665,674 ----
                PUTLONG(0, *cpp);               /* TTL */
                tp = *cpp;                      /* Temp RdLength */
                PUTSHORT(0, *cpp);
!               copyCharString(cpp, "Go away.");
                PUTSHORT((*cpp) - (tp + INT16SZ), tp);  /* Real RdLength */
                *msglenp = *cpp - msg;          /* Total message length */
+               ns_info(ns_log_security, "attackalert: BIND version query from %s", sin_ntoa(from));
                return (Finish);
        }

Current thread:

Re: Full Armor avarice (Jun 09)
- Silly patch to report version.bind requests Craig H. Rowland (Jun 10)
  - Re: Silly patch to report version.bind requests Peter Svensson (Jun 12)
  - Re: Silly patch to report version.bind requests LaMont Jones (Jun 12)
- Re: Full Armor S M Phillips (Jun 11)
- <Possible follow-ups>
- Full Armor Kimmie Dicaire (Jun 09)