Security Incidents mailing list archives
Re: Large DNS scans from 211.53.208.178
From: woods () WEIRD COM (Greg A. Woods)
Date: Mon, 8 May 2000 10:48:47 -0400
[ On Wednesday, May 3, 2000 at 23:35:12 (-0400), Seth Georgion wrote: ]
Subject: Re: Large DNS scans from 211.53.208.178 I think one of the key strengths behind limiting TCP/53 through the firewall is the inability for attackers to use port 53 on inside machines. For instance if someone were to attack a web server with the RFP Data Access Components exploit and open up a port on 53 then they could navigate throught the firewall and consolidate control. Or if an employee turned on a remote control software and enabled it for 53. By specifiying TCP/53 DENY than you have pretty much stopped script-kiddie exploitation of that area. Also, not sure about this, but don't most canned BIND exploits rely on TCP/53 access?
So, you'd rather sacrifice correct operation of the DNS protocol in order to defend from invisible boogie men? Given the nature of complex attacks that are co-ordinated amongst many machines, the potential vulnerabilities of a nameserver hobbling by with UDP alone are only approximately cut in half and that doesn't reduce the level of risk significantly -- half of a bad thing is still bad. Why not concentrate on running fully functional DNS servers in a secure manner so that they cannot be exploited instead? If you're really paranoid then run named on a separate, dedicated, server; but normally I would assess the risk as only requiring that it run as an unprivileged user assuming the system it runs on is reasonably secure otherwise and that it's regularly monitored (eg. run process accounting reports regularly, perhaps once per hour, and write a filter script that e-mails or pages you with a list of all processes other than named-xfer that were run by the unprivileged user -- you should get no e-mails/pages). -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Strange 33434/UDP traffic from MS W2k with Active Directory, (continued)
- Strange 33434/UDP traffic from MS W2k with Active Directory Eugene Taylashev (May 01)
- more weird traceroutes Donald McLachlan (May 02)
- Re: more weird traceroutes Chad Thunberg (May 02)
- Re: Large DNS scans from 211.53.208.178 Fernando Cardoso (May 02)
- Re: Large DNS scans from 211.53.208.178 Russell Fulton (May 02)
- Re: Large DNS scans from 211.53.208.178 Ed Padin (May 02)
- Re: Large DNS scans from 211.53.208.178 Keith McCammon (May 03)
- Re: Large DNS scans from 211.53.208.178 David B. Bukowski (May 03)
- Re: Large DNS scans from 211.53.208.178 sigipp () WELLA COM BR (May 03)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Greg A. Woods (May 08)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Chen, Dave (May 03)
- Re: Large DNS scans from 211.53.208.178 Igor Gashinsky (May 03)
- Re: Large DNS scans from 211.53.208.178 Keith Owens (May 06)