[Dshield] warning - netcraft.com

ALEPH0 aleph0 at pacbell.net
Sat Nov 24 16:13:51 GMT 2001


It is offensive in that they store version information, polling regularly
after the initial request, and produce that history upon anyone's request.

However, what they are doing is not hacking.  It is just short of running a
web proxy.  Any information they get and provide is what the web servers
make public anyway with a simple HEAD or GET.  You could limit their access
with something like (apache httpd.conf example):


# Deny access to Netcraft.COM
<Directory $HTDOCPATH>
  <Limit HEAD>
    Order allow,deny
    Allow from all
    Deny from 195.92.
  </Limit>
  <Limit GET>
    Order allow,deny
    Allow from all
    Deny from 195.92.
  </Limit>
</Directory>

But if you deliver a 4xx denial page, you're going to provide them with what
they want from the HEAD call anyway.  Fortunately, for people who do this,
they apparently are not wise to that and their logic drops subsequent scans
and throws out the data from that one.  In general is is best to just drop
the packets at a firewall if possible.


-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On Behalf
Of Josh Beckett
Sent: Friday, November 23, 2001 11:32 PM
To: dshield at dshield.org
Cc: abuse at planet.net.uk
Subject: [Dshield] warning - netcraft.com


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

netcraft.com is offering, what I find to be an offensive tool, in
it's current incarnation.

They offer a tool that allows you to scan any site you input into a
web page for tcp/443 service and probe it's offerings.  I've seen
plenty of tools that allow similar activity, but they usually allow
you to only scan your own ip (a much safer implementation).

The security implications are obvious to me, but they don't find
anything wrong with their activity.  So I put it before you, my
security comrades...be aware.

For the planet.net.uk folks --
ENERGIS SQUARED ABUSE TICKET : 148978 (ACTIVE SYSTEM ATTACK!)

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use

iQA/AwUBO/9M+GuCvDMAxAeZEQJkpACg3U1Ts0b8Ly8y9xx+bVYU99cf9/oAn2kJ
0NaboZs2SfEzeOSIZRiIBKSE
=Yk85
-----END PGP SIGNATURE-----




More information about the list mailing list