[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] <b>Where are you guys standing re: the (full) disclosure question?</b>
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] <b>Where are you guys standing re: the (full) disclosure question?</b>
- From: Pedro Luis Karrasquillo <peter_toyota@xxxxxxxxxxx>
- Date: Thu, 12 Dec 2013 22:02:55 -0400
Humans, Dwarves, Elves, Fairies and all free folk on this list:
Meli Kalikimaka.
I think I found a relatively small bug with Windows Server running DNS with
recursion turned off, that still allows the server to be used for DDOS
amplification attacks. There are a sizable number of these on the net, and I do
not think operators realize that the server is not totally silent with
recursion turned off.
I want to put my findings here on the list, as well as on my blog but I am
unsure if :
1. should I tell MS first?
2. being this is possibly my first bug as a researcher, will this get me into
trouble (legal or otherwise)?
3. will this make me a rock star?
I have details on the bug, as well as remediation steps. I would not say I
"discovered" it per se, as I found it while studying an attack on a network I
protect, but I do not see it documented anywhere either.
What say you, Wise List Readers?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/