Security Incidents mailing list archives

Re: Scans... (was Re: 3 Solaris reboot in 3 days)

From: mixter () 2XS CO IL
Date: Wed, 2 Aug 2000 02:43:20 +0300

Our company was doing a test scan of a class A network, 195.0.0.0/8 for dns
server versions. Of course we never have or will probe intensively single
private networks specifically without their permission. Also, a non-intrusive
querying for bind versions, to get a better perspective of security by gathering
demographic data of the used bind versions (with bind being arguably the most
often exploited service recently). After our scan of some 16.581.375 addresses
for just this information, all that we have received were 3 requests to explain
our activity, which we promptly did.

I noticed you mention BlackICE on Windows 98. From my experience, it is a very
sensitive type of IDS, that can create extensive log entries, for example
"DNS port probe" for just receiving an udp/53 packet, and "BIND version
request" additionally to the first notice. That might be why you originally
considered this incident more than a simple version query.

-------------------------------------------------
Personally expressed opinions do not neccessarily
represent the opinions of 2XS Limited.
-------------------------------------------------
Mixter                  2xs LTD.
Tel: 972-9-9519980      Fax: 972-9-9519982
Mail: mixter () 2xs co il  Web: http://www.2xs.co.il
-------------------------------------------------

Current thread:

Scans... (was Re: 3 Solaris reboot in 3 days) Pierre Vandevenne (Aug 01)
- Re: Scans... (was Re: 3 Solaris reboot in 3 days) mixter (Aug 02)
  - Re: Scans... (was Re: 3 Solaris reboot in 3 days) Pierre Vandevenne (Aug 02)
- Re: Scans... (was Re: 3 Solaris reboot in 3 days) Ben Laws (Aug 02)