Date: Tue, 9 Jun 1998 22:54:25 -0400 (EDT)
From: "Craig H. Rowland" <crowland@psionic.com>
To: linux-security@redhat.com
Subject: [linux-security] More BIND information.
Hello,
It's been barely a week since DNS exploits were made public and
already people are scanning blocks of addresses looking for DNS version
numbers!
So I wrote a simple patch that would disable this feature and write a log
notice out of the host that perpetrated the act. Because of the BIND
discussions that have been going on here I though I'd share it with you.
This is only for version 8.1.2 of BIND, although the mildly saavy can
figure it out for other versions (do a search on "version.bind" in
ns_req.c in the sources).
To apply:
cd src/bin/named
patch < patchfile.name
re-compile and run (preferably chrooted())
(See http://www.psionic.com/papers/dns.html for more information)
Test using command:
dig @127.0.0.1 version.bind chaos txt
You should see "Go away." come back instead of the BIND version number and
your log should have an "attackalert" message in it with the IP of the
perpetrator. This can be grep'd for if you use an automated logfile
auditing tool like swatch or <ahem> logcheck, which already looks for
this keyword:
http://www.psionic.com/abacus/abacus_logcheck.html
;)
While I don't suspect this will break anything, I would like to hear if it
does. I've been running the patch without incident, but no guarantees as
usual.
Thanks,
-- Craig
*** ns_req.c Tue Jun 9 21:56:26 1998
--- ns_req.new Tue Jun 9 21:46:58 1998
***************
*** 665,673 ****
PUTLONG(0, *cpp); /* TTL */
tp = *cpp; /* Temp RdLength */
PUTSHORT(0, *cpp);
! copyCharString(cpp, ShortVersion);
PUTSHORT((*cpp) - (tp + INT16SZ), tp); /* Real RdLength */
*msglenp = *cpp - msg; /* Total message length */
return (Finish);
}
--- 665,674 ----
PUTLONG(0, *cpp); /* TTL */
tp = *cpp; /* Temp RdLength */
PUTSHORT(0, *cpp);
! copyCharString(cpp, "Go away.");
PUTSHORT((*cpp) - (tp + INT16SZ), tp); /* Real RdLength */
*msglenp = *cpp - msg; /* Total message length */
+ ns_info(ns_log_security, "attackalert: BIND version query from %s", sin_ntoa(from));
return (Finish);
}
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
