Bind version number
Jim Reid
jim at rfc1035.com
Tue Feb 15 23:54:26 UTC 2000
>>>>> "dgreco" == dgreco <dgreco at atlantic.net> writes:
dgreco> We recently got hacked. They knew they could get us
dgreco> because they used dig to find version numbers of bind over
dgreco> a wide range of IP addresses.
Eh? How can knowing the version number of BIND allow an attacker to
penetrate your systems? Unless of course you're running old DNS code
that's *known* to have security holes. [If that's the case, you only
have yourself to blame for not keeping up with CERT advisories and the
current BIND release. Sorry.] And all the version number can do is
tell the bad guy which particular attack to choose from a list of
possible DNS attacks. It doesn't necessarily mean that the DNS was
used to break in: where's your proof? How do you know that the
attackers exploited a hole in DNS software? What network services were
these systems offering to the public? What was in the system logs?
What traffic did your firewall let through while the attack was in
progress? And before the attack..... And how do you know the bad guys
attacked from outside?
"The Bad Guys knew what version of BIND we run." "We were attacked."
These two statements are not related to each other without a clear
chain of evidence in between. Disclosing the version of BIND you run
does not constitute a security hole. Even if you concealed that you
were running 8.2 (say), that wouldn't make you invulnerable to the
documented attacks that are known to work on that BIND release.
More information about the bind-users
mailing list