On Thu, 27 Mar 2003 Michael.Dillon@radianz.com wrote:
I suggest that an appropriate technique would be for the BIND server to originate traffic on it's local subnet that would look suspicious and possibly trigger intrusion alarms. Send out some packets to the broadcast address. Do some portscanning of all addresses on the subnet. Find any open port 80 and retrieve a URL containing BIND/server/at/10.7.7.1/has/security/vulnerability, find any open port 25 and send email to postmaster containing the same message, etc.
Better yet, why not just have it print to console "BIND INSECURE, UPGRADE, SHUTTING DOWN THE SERVER NOW" and then halt? Far more likely to get noticed.
Not enough traffic to be a DoS but enough to show up in various logs in case someone is looking at some of them.
If you have somebody looking a firewall or IDS logs, you won't need to be told to upgrade bind. Besides, plenty of networks who do stay current on application security would miss a little pretend DOS. The best solutions I can come up with all revert to the undesired "stop working" solution, in effect. My favorite notion, which I didn't even suggest because of Paul's mandate that the solution not involve breaking bind, would be to return, in response to every query, the IP address of a special website that says "THE VERSION OF BIND ON YOUR NAMESERVERS IS VULNERABLE" or whatever, and include instructions on how to upgrade. Sure, it will break everything except http, and flood this webserver with a ridiculous amount of unwanted traffic (bgp anycast with filtering everything not destined for port 80, to help stem that a little?), but at least people will know why nothing is working, once they fire up a browser. Looming large, of course, is the fact that people would have to upgrade to get any of this "security upgrade" functionality. So we'd really be only partially solving a problem in which we won't see any benefit for years to come, which is usually enough impetus to kill a project these days. Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, Inc. www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access