[Dshield] warning - netcraft.com

daniel uriah clemens dclemens at inline.com
Mon Nov 26 16:25:02 GMT 2001


Why don't you just deny all incoming traffic from netcraft at your
firewall?



Simply,

Daniel Uriah Clemens
dclemens at inline.com

~ Noli Me Tangere -Seneca ~

On Sat, 24 Nov 2001, ALEPH0 wrote:

> It is offensive in that they store version information, polling regularly
> after the initial request, and produce that history upon anyone's request.
> 
> However, what they are doing is not hacking.  It is just short of running a
> web proxy.  Any information they get and provide is what the web servers
> make public anyway with a simple HEAD or GET.  You could limit their access
> with something like (apache httpd.conf example):
> 
> 
> # Deny access to Netcraft.COM
> <Directory $HTDOCPATH>
>   <Limit HEAD>
>     Order allow,deny
>     Allow from all
>     Deny from 195.92.
>   </Limit>
>   <Limit GET>
>     Order allow,deny
>     Allow from all
>     Deny from 195.92.
>   </Limit>
> </Directory>
> 
> But if you deliver a 4xx denial page, you're going to provide them with what
> they want from the HEAD call anyway.  Fortunately, for people who do this,
> they apparently are not wise to that and their logic drops subsequent scans
> and throws out the data from that one.  In general is is best to just drop
> the packets at a firewall if possible.
> 
> 
> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On Behalf
> Of Josh Beckett
> Sent: Friday, November 23, 2001 11:32 PM
> To: dshield at dshield.org
> Cc: abuse at planet.net.uk
> Subject: [Dshield] warning - netcraft.com
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> netcraft.com is offering, what I find to be an offensive tool, in
> it's current incarnation.
> 
> They offer a tool that allows you to scan any site you input into a
> web page for tcp/443 service and probe it's offerings.  I've seen
> plenty of tools that allow similar activity, but they usually allow
> you to only scan your own ip (a much safer implementation).
> 
> The security implications are obvious to me, but they don't find
> anything wrong with their activity.  So I put it before you, my
> security comrades...be aware.
> 
> For the planet.net.uk folks --
> ENERGIS SQUARED ABUSE TICKET : 148978 (ACTIVE SYSTEM ATTACK!)
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use
> 
> iQA/AwUBO/9M+GuCvDMAxAeZEQJkpACg3U1Ts0b8Ly8y9xx+bVYU99cf9/oAn2kJ
> 0NaboZs2SfEzeOSIZRiIBKSE
> =Yk85
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
> 




More information about the list mailing list