F5 3DNS (was: RE: [Snort-users] False PING NMAP TCP (still))

Bill Marquette wlmarque at ...8...
Tue Aug 8 10:36:02 EDT 2000


From:     Steve Hutchins <Steve.Hutchins at ...277...> on 08/07/2000 05:17
PM
<SNIP>
> I have blocked the address at the external router.
> Do you know of any way of fingerprinting the source box to
> see if it is an F5 box? (I haven't tried nmap yet).

The only way I've seen to positively identify it is treat each one of these as
an attack (*sigh*) and alert the admins of the offending site.  Usually they are
quite harried (their own damn fault) with such messages and are really blunt and
will tell you that it's F5.  The closest sig I've been able to pick out is they
usually come in pairs of IPs and tend to make a couple attempts (with exception
to Microsofts F5 servers which would try for HOURS).  What we tend to see in our
bind logs (and I'm sure snort would be interesting to look at too, but I don't
currently have any logs for these subnets) is:
 named[355]: 21-Jun-2000 09:58:00.452 security: notice: unapproved query from
[xxx.xxx.xxx.xxx].19870 for "."
 named[355]: 21-Jun-2000 09:58:00.453 security: notice: unapproved query from
[xxx.xxx.xxx.xxx].19870 for "."
 named[355]: 21-Jun-2000 09:59:00.753 security: notice: unapproved query from
[xxx.xxx.xxx.xxx].19897 for "VERSION.BIND"
 named[355]: 21-Jun-2000 09:59:00.754 security: notice: unapproved query from
[xxx.xxx.xxx.xxx].19897 for "VERSION.BIND"
or just straight "." queries or "VERSION.BIND".

Below is a list of F5 servers we've seen and either confirmed or based on the
signature and site contents we've assumed to be F5 servers.  Hopefully that's of
use to someone.

Confirmed positives
--------------------
gannett.com -- usatoday.com
216.33.87.8, 167.8.29.52
Microsoft netblocks
207.46.144.[6|7], 207.46.140.100

Unconfirmed, but assumed
------------------------
Misc sites at Exodus
209.67.29.[8|9]
216.33.87.[8-10]
ISI.net
206.251.19.80, 206.251.19.8[8|9]
Coldwatercreek.com - ecommerce site
12.32.39.30
204.120.131.30
USA Today netblock
167.8.29.[52|91]


> Can the user override the exclusion list or do the boxes
> check centrally?

User as in the remote admin?  Yes.  If you mean, you yourself, only complaining
and as loudly as you can.  The boxes don't have a central DB, ie...F5 doesn't
control who to not query.

Below is a snippet from an email I sent and the reply I got from a F5 engineer a
while back.
> Is there anything unique about the signature that we can watch for?

 Probably.  One thing you should note is that the "version.bind" probing has
 been removed in the latest builds of 3DNS.  I think you're due for relief
 from those false positive pages and emails...  If you really want, I can
 take one of the 3DNS developers out to lunch and wring the details from
 him...


--Bill






More information about the Snort-users mailing list