Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pubstro rash

From: Mark Coleman <markc () uniontown com>
Date: Thu, 17 Mar 2005 16:50:45 -0500
Hi David,

>3.  Instead of a random high port, the installed FTP server
>listens on port 53.  Which I can't block, because DNS may
>need to use it, right?
>
>4.  The FTP banners all claim to be the work of "Droppunx".
If these are workstations, not servers, then you should be able to block TCP 53 INBOUND to them from the world without harming their DNS resolution, and effectively block the world's access to these FTP servers running on tcp port 53. Since you say they have a banner, I am assuming TCP.
DNS typically (from memory) will use UDP for most requests, but will fall over to TCP for requests over 576 bytes in size, but if these are workstations then you can allow both TCP/UDP port 53 OUT and still block TCP port 53 IN and that shouldn't effect DNS for these workstations. TCP, being stateful, lets you descriminate on direction at layer 4. Stopping inbound SYNs on port 53 IN will only cause a problem if it's a DNS server that the world is trying to hit. 

-Mark Coleman
Previous By Date Next
Previous By Thread Next

Current thread: