Re: Microsoft version.binding us now?

[j.hall () F5 COM (John Hall)]

Bill Marquette wrote:
> Unfortunately, there seems to have been an epidemic increase in usage of the
> various features of the F5 3dns product.

I can't really feel sad about people using our products...   ;-)

> This has got me wondering if there's any nasty
> games that could be played seeing as these are automated responses to hits
> on web servers.

I doubt that any type of DOS is possible.  I work on the BIG-IP product line,
but I'm trying to research the details you've requested.  My current
understanding is that the 3DNS query is only generated when a DNS lookup
is performed (rather than per hit) and the queries are rate limited to
about one per 5 minutes per query destination.

> What I find most annoying about this is that multi homed
> networks utilizing internal squid proxies and the round robining
> capabilities to load balance web usage makes 3DNS triangulation pointless.

Agreed, although our current research indicates that 3DNS triangulation works
at least 90% of the time.

> Has anyone thought of a way to ferret out 3DNS signatures versus positive
> cracker attempts?  While a human can see a pattern in the 3DNS queries,
> automation can't (that I know of) and stupidly emails (and occasionally
> pages) us from these false positives.  Since I know there's at least one F5
> person on this list, maybe he can answer :)

:-)  -  There's at least two of us that I know about.

> Is there anything unique about the signature that we can watch for?

Probably.  One thing you should note is that the "version.bind" probing has
been removed in the latest builds of 3DNS.  I think you're due for relief
from those false positive pages and emails...  If you really want, I can
take one of the 3DNS developers out to lunch and wring the details from
him...

> OTOH, maybe we don't want to know, I'd rather have the false positives
> than find a way to ignore the false positive and have some kid create a
> scanner based on that signature.

Very good point.

> So I guess a better question would be, if we actively block version.bind
> and "." requests in our bind configs, does 3DNS still get useful
> information to calculate RTT?

I'm not sure although I don't see why not.  A reset from the destination
is just as clear a signal as a valid response for RTT measurements.

> If not, would F5 consider making it clear in their documentation that
> numerous admins block such requests?

Well, it depends on how you define "numerous".

We are trying to collect information to improve the network experience of
your users when they go to one of our customer's web sites.  If you object
to 3DNS collecting this information at all, then I'm not sure if there's
any way for us to come to any kind of a compromise.  People are willing
to pay for these features and they are likely to only get more popular.

If you don't mind 3DNS collecting RTT information and just object to certain
ways 3DNS does it, then we hear you loud and clear, and are constantly
endeavoring to make 3DNS more stealthy so it does not ring your alarms.

That last sentence should make you uneasy though.  If we are successful at
making 3DNS able to collect the information it needs without ringing your
alarms (and we are getting there), then that means that others may also
use these methods to collect information about your network without your
knowledge.  I'd think that you might be better served by making sure that
"version.bind" and other such information gathering does not return any
information you don't want propagated and by setting your alarm thresholds
higher.

> For the record, I know of at least one 3DNS user that got hounded the day
> they started using the product.  I suspect they started using the other RTT
> features of the product to stop getting calls and emails from angry admin
> staff (one of them being us giving them a friendly call telling them they'd
> possibly been cracked).

One of our newest features (in BIG-IP, but not yet released in 3DNS) will
probably eliminate the need for probes at all.  In the near term, your
patience is well appreciated.

> --Bill
>
> Bill Marquette
> billm () danger ms

--
John Hall <j.hall () f5 com>                                     F5 Networks, Inc.
Senior Test Engineer                                          206-505-0800

There is no delight the equal of dread.  As long as it is somebody else's.
                --Clive Barker