[lug] TSIG overflow

Sean Reifschneider jafo at tummy.com
Wed Feb 28 16:08:04 MST 2001

On Wed, Feb 28, 2001 at 04:30:17PM -0600, charles at lunarmedia.net wrote:
>exactly what did occur. the client wants a full blown demonstration on an
>offnet box configured as they were.

Saying that there are known, documented, and fixed issues in the versions of
BIND they were running isn't enough?  They have to be shown it in action?

The BIND exploit combines ease of scanning with the ability to gain root
access.  A combination that the crackers love.  We've been seeing a huge
increase in the BIND scanning and exploits over the last few months,
though a broadcast mailing to our clients offering a check of their system
has really reduced the problems we've seen on existing client's machines.

To give you an idea, last night I was watching the logs on one of our boxes
while doing some testing of a program, and over 10 minutes I saw 20 different
IPs scanning DNS on that machine...

I'm forced to wonder why they want you to demonstrate the exploit.  Are
they planning on trying to make use of it, or do they not believe you
that it's possible?

 These go to eleven.
                 -- _This_is_Spinal_Tap_
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python

More information about the LUG mailing list