Security Incidents mailing list archives

Re: Large DNS scans from 211.53.208.178

From: woods () WEIRD COM (Greg A. Woods)
Date: Mon, 8 May 2000 10:48:47 -0400


[ On Wednesday, May 3, 2000 at 23:35:12 (-0400), Seth Georgion wrote: ]

Subject: Re: Large DNS scans from 211.53.208.178

I think one of the key strengths behind limiting TCP/53 through the
firewall is the inability for attackers to use port 53 on inside
machines. For instance if someone were to attack a web server with the
RFP Data Access Components exploit and open up a port on 53 then they
could navigate throught the firewall and consolidate control. Or if an
employee turned on a remote control software and enabled it for 53. By
specifiying TCP/53 DENY than you have pretty much stopped
script-kiddie exploitation of that area. Also, not sure about this,
but don't most canned BIND exploits rely on TCP/53 access?


So, you'd rather sacrifice correct operation of the DNS protocol in
order to defend from invisible boogie men?  Given the nature of complex
attacks that are co-ordinated amongst many machines, the potential
vulnerabilities of a nameserver hobbling by with UDP alone are only
approximately cut in half and that doesn't reduce the level of risk
significantly -- half of a bad thing is still bad.

Why not concentrate on running fully functional DNS servers in a secure
manner so that they cannot be exploited instead?  If you're really
paranoid then run named on a separate, dedicated, server; but normally I
would assess the risk as only requiring that it run as an unprivileged
user assuming the system it runs on is reasonably secure otherwise and
that it's regularly monitored (eg. run process accounting reports
regularly, perhaps once per hour, and write a filter script that e-mails
or pages you with a list of all processes other than named-xfer that
were run by the unprivileged user -- you should get no e-mails/pages).

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>

Current thread:

Strange 33434/UDP traffic from MS W2k with Active Directory, (continued)
- Strange 33434/UDP traffic from MS W2k with Active Directory Eugene Taylashev (May 01)
- more weird traceroutes Donald McLachlan (May 02)
  - Re: more weird traceroutes Chad Thunberg (May 02)
- Re: Large DNS scans from 211.53.208.178 Fernando Cardoso (May 02)
  - Re: Large DNS scans from 211.53.208.178 Russell Fulton (May 02)
- Re: Large DNS scans from 211.53.208.178 Ed Padin (May 02)
  - Re: Large DNS scans from 211.53.208.178 Keith McCammon (May 03)
  - Re: Large DNS scans from 211.53.208.178 David B. Bukowski (May 03)
- Re: Large DNS scans from 211.53.208.178 sigipp () WELLA COM BR (May 03)
  - Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
    - Re: Large DNS scans from 211.53.208.178 Greg A. Woods (May 08)
- Re: Large DNS scans from 211.53.208.178 Chen, Dave (May 03)
- Re: Large DNS scans from 211.53.208.178 Igor Gashinsky (May 03)
  - Re: Large DNS scans from 211.53.208.178 Keith Owens (May 06)