I've already sent email to the tech people at F5 asking if their product
does this in normal operation. As I find out information I'll definately
post it here. We may end up using our corporate weight with Microsoft to
dig into this a little farther. I hate to just outright dig at Microsoft,
but this is ridiculous, there's no reason for their product to do this
unless it's broken. Query types of TXT w/ a class of CHAOS and a query of
"VERSION.BIND" doesn't exactly "just happen" from a malformed packet.
--Bill
--billm_at_danger.ms
----- Original Message -----
From: "Klaus Steding-Jessen" <jessen_at_NIC.BR>
To: <INCIDENTS_at_SECURITYFOCUS.COM>
Sent: Tuesday, May 30, 2000 10:18 AM
Subject: Re: Microsoft version.binding us now?
<snip>
> >From: ITG Information Security Center <infosec_at_microsoft.com>
> >Sender: Greg Galford <ggalford_at_microsoft.com>
> >Subject: FW: SECURITY: Hacking activity from your domain
> >Date: Fri, 26 May 2000 07:31:42 -0700
> >X-Mailer: Internet Mail Service (5.5.2651.58)
> >
> >
> >Hi, these packets you are seeing are not probes, but are coming from
> >an F5 networks product, 3dns (see:
> >http://www.f5.com/3dns/index.html).
>
> [snip]
>
> Hard to believe that 3dns is using version.bind probes to collect RTT
> information. Can anyone confirm this?
>
> Klaus.
>
Received on Jun 01 2000
Intro
