Date: Wed, 10 Jun 1998 17:18:45 -0400
From: "Craig H. Rowland" <crowland@PSIONIC.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Silly patch to report version.bind requests
Hello,
I wrote this patch for BIND 8.1.2 that will change the version number
returned and (most importantly) write to your logs that a person attempted
to do so.
To apply:
cd src/bin/named
patch < patchfile.name
re-compile and run (preferably chrooted())
(See http://www.psionic.com/papers/dns.html or
http://www.homeport.org/~adam/dns.html for more information)
Test using command:
dig @127.0.0.1 version.bind chaos txt
You should see "Go away." come back instead of the BIND version number and
your log should have an "attackalert" message in it with the IP of the
perpetrator. This can be grep'd for if you use an automated logfile
auditing tool like swatch or <ahem> logcheck, which already looks for
this keyword:
http://www.psionic.com/abacus/abacus_logcheck.html
;)
While I don't suspect this will break anything, I would like to hear if it
does. I've been running the patch without incident, but no guarantees as
usual.
Thanks,
-- Craig
*** ns_req.c Tue Jun 9 21:56:26 1998
--- ns_req.new Tue Jun 9 21:46:58 1998
***************
*** 665,673 ****
PUTLONG(0, *cpp); /* TTL */
tp = *cpp; /* Temp RdLength */
PUTSHORT(0, *cpp);
! copyCharString(cpp, ShortVersion);
PUTSHORT((*cpp) - (tp + INT16SZ), tp); /* Real RdLength */
*msglenp = *cpp - msg; /* Total message length */
return (Finish);
}
--- 665,674 ----
PUTLONG(0, *cpp); /* TTL */
tp = *cpp; /* Temp RdLength */
PUTSHORT(0, *cpp);
! copyCharString(cpp, "Go away.");
PUTSHORT((*cpp) - (tp + INT16SZ), tp); /* Real RdLength */
*msglenp = *cpp - msg; /* Total message length */
+ ns_info(ns_log_security, "attackalert: BIND version query from %s", sin_ntoa(from));
return (Finish);
}
