Security Incidents mailing list archives
Re: Microsoft version.binding us now?
From: bejtlich () ALTAVISTA NET (Richard Bejtlich)
Date: Sat, 3 Jun 2000 01:08:43 -0000
Hello, Great work tracking this 3DNS signature! When I looked at 3DNS' F5 signatures last year, I found them using null 64 byte SYN packets to local name servers to try to test latency. Actual polls for BIND versions is very interesting -- are the incoming packets TCP? The vendor said "It looks like an aborted zone transfer normally, or a dns look-up that went wrong"; that sounds like TCP to me. Also, are your machines responding? Richard Bejtlich -- Same here, every +/- 4 minutes they poll for our VERSION.BIND. I resolved one of the ipnumbers to something.windowsupdate.com and I contacted the technical contacts.
Current thread:
- Re: Microsoft version.binding us now? Fernando Cardoso (May 30)
- <Possible follow-ups>
- Re: Microsoft version.binding us now? Klaus Steding-Jessen (May 30)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Thijs Eilander (May 30)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 02)
- Scan of the Week continued Lance Spitzner (Jun 03)
- very strange scan patterns Joe H (Jun 05)
- Re: very strange scan patterns John Kristoff (Jun 05)
- Sub-7 Khan, Mansoor (Jun 05)
- Re: Sub-7 James Stevenson (Jun 08)
- Re: Sub-7 Matthew F. Caldwell (Jun 08)
- Re: Sub-7 nine (Jun 08)
- Strange scans - inquisitive question Paul Rogers (Jun 09)
- Re: Strange scans - inquisitive question Valdis Kletnieks (Jun 11)
- What is this guy doing? Josh Burroughs (Jun 05)