[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fingerprinting DNS implementations.

To: Jim Reid <jim@rfc1035.com>
Subject: Re: Fingerprinting DNS implementations.
From: Dean Anderson <dean@av8.com>
Date: Tue, 9 Dec 2003 20:08:05 -0500 (EST)
Cc: Roy Arends <roy@logmess.com>, <namedroppers@ops.ietf.org>, Jakob Schlyter <jakob@rfc.se>
In-reply-to: <26843.1071013213@gromit.rfc1035.com>

On Tue, 9 Dec 2003, Jim Reid wrote:

> >>>>> "Dean" == Dean Anderson <dean@av8.com> writes:
> 
>     Dean> I'm wondering why you are doing this.  This sort of tool
>     Dean> could be abused by crackers.
> 
> So could many other tools. Like compilers. Do you want to ban them too?

Compilers are indispensable. Fingerprinting is not (I think) 
indispensable.

>     Dean> I am particularly where is sounds like your are looking for
>     Dean> fingerprints for vendors that have obscured their responses
>     Dean> in order to prevent fingerprinting.
> 
> Well perhaps those vendors would then spend time fixing security bugs
> in their code instead of investing in futile efforts to conceal them?

Much easier said than done. Wait. Clancy! Fire the security bug 
developers.

>     Dean> DNS is a critical piece of infrastructure, and fingerprints
>     Dean> allow the cracker to use the right attack the first time,
>     Dean> without revealing their attack.
> 
> This presumes the crackers and script kiddies have that sort of
> finesse. If they've got a bunch of attacks to penetrate name servers,
> they'll more than likely try them all and go with the ones that
> succeed against their victims. 

Well, now they can have that finesse, without even learning about DNS.

> And anyway, if an attack succeeds, it's too late. The damage has already
> been done. How the choice of attack was made -- if there was a
> selection! -- is irrelevant.

No, actually, it isn't.  The slightest irregularity can trigger discovery.  
The Debian crack was discovered because of an unexpected kernel Oops. If
they crackers had used better fingerprinting, they would have gotten in
undetected, and much more damage would have been done.  As it was, they
got in, but because of their lack of accurate fingerprinting, they were
detected (after the fact) but before they could cause great damage.

I guess we can't really prevent crackers from getting fingerprinting, if
they want to, but it seems smart people are making it easier than it has
to be.

		--Dean

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: Fingerprinting DNS implementations.
  - From: Jim Reid <jim@rfc1035.com>

Prev by Date: Re: Fingerprinting DNS implementations.
Next by Date: Re: Fingerprinting DNS implementations.
Previous by thread: Re: Fingerprinting DNS implementations.
Next by thread: Re: Fingerprinting DNS implementations.
Index(es):
- Date
- Thread