Firewall Wizards mailing list archives

RE: terminal services

From: "Reckhard, Tobias" <tobias.reckhard () secunet com>
Date: Thu, 30 Jan 2003 08:10:45 +0100

On Wednesday, January 29, 2003 11:09 PM, Paul Robertson wrote:

Let's not forget that nailing DNS source ports to 53 reduces somewhat 
(though by a trivial ammount) resistance to blind spoofing attacks.


Does that actually increase resistance against spoofing attacks? If a DNS
client uses a new, randomly chosen source port for every query, it's got a
list of valid response ports. Return packets with different destination
ports can be dropped immediately. If I restrict myself to one randomly
chosen source port, that protection deteriorates over time. If I use a
well-known and therefore predictable source port, I've lost that protection
completely. It means I have to accept each and every packet coming in as
long as I've got outstanding queries.

The DNS ID can be used for much better protection against spoofing attacks.
dnscache uses a cryptographic generator for it.

And see also: http://cr.yp.to/djbdns/forgery.html

For non-recursive resolvers, it may be a slight issue, since 
fewer packets 
gives a good chance to win a race.


I'm sorry, I don't understand what you mean.

 For recrusive resolvers, 
or resolvers 
doing resolution based on external factors (like e-mail,) 
it's probably 
not much of an issue to predict the query port.


If they are chosen randomly for individual queries, I do believe an attacker
would have serious difficulties predicting them. What kind of an issue do
you mean, difficulty for the attacker or security issue for the defender?

 Cache 
poisoning attacks 
being easier certainly aren't a good thing, even if it's a 
very small bit 
easier.


But locking the source port is counterproductive.

I think next time I have to build a network though, the 
mailserver's DNS 
will be seperate from the general populace's resolver.


What would the differences in their configuration be?

Cheers,
Tobias
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: firewall design (was: RE: terminal services ), (continued)
- - - RE: firewall design (was: RE: terminal services ) m p (Jan 29)
  - RE: terminal services Paul D. Robertson (Jan 28)
    - RE: terminal services R. DuFresne (Jan 28)
    - Message not available
    - RE: terminal services Marcus J. Ranum (Jan 28)
- Re: terminal services Steven M. Bellovin (Jan 28)
- RE: terminal services Reckhard, Tobias (Jan 28)
  - Re: terminal services Barney Wolff (Jan 29)
    - Re: terminal services Paul Robertson (Jan 29)
    - Re: terminal services Barney Wolff (Jan 30)
- RE: terminal services Reckhard, Tobias (Jan 30)
- RE: terminal services Reckhard, Tobias (Jan 30)
  - Re: DNS security (Was: re: terminal services) Mikael Olsson (Jan 31)